CVE-2025-66078 is a critical security vulnerability identified in the jetmonsters Hotel Booking Lite WordPress plugin, specifically versions up to and including 5.2.3. The vulnerability is categorized as an 'Improper Control of Generation of Code' or code injection flaw, which enables Remote Code Inclusion (RCI). This means an attacker can remotely inject and execute arbitrary code on the affected server by exploiting insufficient validation or sanitization of user-supplied input that is used in code generation or inclusion processes. Because the vulnerability allows remote code execution without requiring authentication or user interaction, it poses a severe risk to the confidentiality, integrity, and availability of affected systems. The plugin is widely used for hotel booking functionalities on WordPress sites, which are common in the hospitality and tourism sectors. Although no public exploits have been reported yet, the nature of the vulnerability makes it a prime target for attackers seeking to compromise web servers, deploy malware, or pivot into internal networks. The lack of a CVSS score indicates the need for a severity assessment based on the technical details and potential impact. The vulnerability was published on December 18, 2025, with the initial reservation date on November 21, 2025, by Patchstack. No official patches or mitigations have been linked yet, emphasizing the urgency for affected organizations to monitor vendor updates and apply fixes promptly once available.

For European organizations, especially those in the hospitality and tourism sectors relying on WordPress-based hotel booking solutions, this vulnerability presents a significant threat. Successful exploitation can lead to unauthorized remote code execution, allowing attackers to steal sensitive customer data, manipulate booking information, deploy ransomware, or use compromised servers as a foothold for further attacks within corporate networks. The disruption of booking services can cause reputational damage and financial losses. Given the widespread use of WordPress and the popularity of the Hotel Booking Lite plugin, many small to medium enterprises across Europe could be affected. The impact extends beyond individual businesses to potentially affect the broader tourism infrastructure, especially in countries where tourism is a major economic driver. The lack of authentication requirements and ease of exploitation increase the likelihood of attacks, raising the urgency for mitigation. Additionally, compromised systems could be leveraged in larger botnets or for launching attacks against other targets, amplifying the threat landscape in Europe.

1. Monitor official jetmonsters and WordPress plugin repositories for security patches addressing CVE-2025-66078 and apply them immediately upon release. 2. Until patches are available, consider disabling or removing the Hotel Booking Lite plugin if feasible, especially on publicly accessible sites. 3. Implement strict web application firewall (WAF) rules to detect and block suspicious input patterns that could trigger code injection attempts targeting this plugin. 4. Conduct thorough input validation and sanitization on all user-supplied data related to booking forms and plugin parameters. 5. Restrict file inclusion and execution permissions on the web server to limit the impact of potential code injection. 6. Regularly audit and monitor web server logs for unusual activity indicative of exploitation attempts. 7. Employ network segmentation to isolate web-facing servers from critical internal systems to reduce lateral movement risks. 8. Educate site administrators and developers about the risks of using outdated plugins and the importance of timely updates. 9. Consider deploying intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts of known WordPress plugin vulnerabilities. 10. Backup website data and configurations regularly to enable rapid recovery in case of compromise.