Motopress Hotel Booking Lite plugin version 4.4.2 suffers from a persistent cross site scripting vulnerability.
3ed48165602f4bd9548ae2c2a60d166d4e4c761edf4ac75c034e6792d95ba5bb
# Exploit Title: WordPress Plugin Motopress Hotel Booking Lite 4.4.2 - Stored Cross-Site Scripting (XSS)
# Date: 2022-09-28
# Exploit Author: Ali Alipour
# Vendor Homepage: https://motopress.com/
# Software Link: https://wordpress.org/plugins/motopress-hotel-booking-lite/
# Version: 4.4.2
# Tested on: Windows 10 Pro x64 - XAMPP Server
# CVE : N/A
PoC:
1: Install Latest WordPress
2: Install and activate Latest Motopress Hotel Booking Lite (4.4.2).
3: Navigate to Accommodation >> Services.
4: Click on "Add New" button And Enter the JavaScript Payload in the Title Field : ( "><script>alert("XSS")</script> )
5:Click on the publish button.
6. Visit http://localhost/wp/services/
7. XSS payload execute.