CVE-2025-66078 is a critical security vulnerability classified as 'Improper Control of Generation of Code' or code injection in the jetmonsters Hotel Booking Lite plugin, versions up to 5.2.3. This plugin is widely used on WordPress websites to manage hotel bookings and reservations. The vulnerability allows remote attackers to perform Remote Code Inclusion (RCI), meaning they can inject malicious code that the server will execute. The CVSS 3.1 base score of 9.1 indicates a critical severity with network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality and integrity (C:H/I:H), but no impact on availability (A:N). Because no authentication or user interaction is needed, exploitation can be automated and widespread. The vulnerability arises from insufficient validation or sanitization of user-supplied input that is used in code generation or inclusion, allowing attackers to inject arbitrary code remotely. This can lead to full compromise of the affected web server, data theft, defacement, or pivoting into internal networks. Although no known exploits are currently reported in the wild, the critical nature and ease of exploitation make it a high-risk threat. The vulnerability was reserved on 2025-11-21 and published on 2025-12-18, with no patches currently linked, indicating a potential zero-day window. Organizations using this plugin must prioritize mitigation to prevent exploitation.

For European organizations, especially those in the hospitality and tourism sectors relying on the jetmonsters Hotel Booking Lite plugin, this vulnerability poses a severe risk. Exploitation can lead to unauthorized access to sensitive customer data such as personal identification, payment details, and booking information, violating GDPR and other data protection regulations. The integrity of booking systems can be compromised, resulting in fraudulent bookings or service disruptions. Although availability is not directly impacted, the reputational damage and regulatory penalties from data breaches can be substantial. Attackers could also use compromised servers as footholds for further attacks within corporate networks. Given the critical CVSS score and ease of exploitation, the threat could lead to widespread incidents if not addressed promptly. European organizations with online booking platforms are prime targets due to the high value of hospitality data and the prevalence of WordPress-based solutions.

Immediate mitigation steps include: 1) Monitoring the vendor's official channels for patches and applying them as soon as they are released. 2) Temporarily disabling or removing the Hotel Booking Lite plugin if patching is not yet available. 3) Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads indicative of code injection attempts targeting this plugin. 4) Conducting thorough input validation and sanitization on all user inputs related to booking forms and plugin endpoints. 5) Restricting access to plugin-related endpoints via IP whitelisting or authentication where possible. 6) Performing regular security audits and penetration testing focused on WordPress plugins. 7) Ensuring backups are up to date and tested for restoration to recover quickly from potential compromises. 8) Educating IT and security teams about the vulnerability to recognize signs of exploitation. These measures go beyond generic advice by focusing on plugin-specific controls and proactive monitoring.