CVE-2025-66078 — AI Deep Analysis Summary

🚨 **Essence**: Hotel Booking Lite < 5.2.3 suffers from **Remote Code Inclusion** (RCE). 💥 **Consequences**: Attackers can inject malicious code, leading to full server compromise, data theft, or site defacement.

🛡️ **Root Cause**: **CWE-94** (Code Injection). The flaw stems from **improper code generation** within the plugin, allowing untrusted input to be executed as code.

👥 **Affected**: **Jetmonsters**' **Hotel Booking Lite** plugin. Specifically, versions **5.2.3 and earlier**. WordPress core is mentioned as context, but the vulnerability is in the plugin.

💻 **Hacker Capabilities**: With **CVSS 9.8 (Critical)**, attackers gain **High** impact on Confidentiality, Integrity, and Availability. They can execute arbitrary code, access sensitive data, and take over the website.

🔐 **Exploitation Threshold**: **Medium**. Requires **PR:H** (Privileges Required: High). The attacker likely needs **authenticated access** or specific user privileges to trigger the vulnerability.

📜 **Public Exploit**: **No PoC provided** in the data. However, references to Patchstack indicate it is a known, tracked vulnerability. Wild exploitation risk exists if auth is bypassed.

🔍 **Self-Check**: Scan for **Hotel Booking Lite** version **≤ 5.2.3**. Check for **CWE-94** indicators in PHP files. Look for unauthorized file inclusions or code execution attempts in logs.

🩹 **Official Fix**: **Yes**. The vendor (Jetmonsters) has acknowledged the issue. Users must **update** to the latest version of Hotel Booking Lite to patch the code generation flaw.

🚧 **No Patch Workaround**: If updating is impossible, **disable the plugin** immediately. Restrict access to WordPress admin areas. Implement **WAF rules** to block code injection patterns.

⚡ **Urgency**: **CRITICAL**. CVSS score is **9.8**. Despite requiring high privileges, the impact is total system compromise. **Patch immediately** upon update availability.