Skip to main content

VikBooking WordPress Plugin CVE-2026-12754

| EUVDEUVD-2026-40939 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-01 Wordfence GHSA-qvwp-h68m-3pjc
6.1
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Network-accessible reflected XSS with scope change; no auth required but victim click mandatory; shortcode condition does not raise AC beyond Low for a site actively using VikBooking.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 09:50 vuln.today
CVE Published
Jul 01, 2026 - 08:30 cve.org
MEDIUM 6.1

DescriptionCVE.org

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'layoutstyle' parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Exploitation requires the targeted page to render the [vikbooking view="roomslist"] shortcode, as the vulnerable layoutstyle parameter is only processed in that view context.

AnalysisAI

Reflected Cross-Site Scripting in VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.12) allows unauthenticated remote attackers to inject arbitrary JavaScript into victims' browsers by tricking them into clicking a crafted URL. The vulnerable layoutstyle parameter is insufficiently sanitized before being rendered in the roomslist view template, enabling session hijacking, credential theft, or malicious redirects against authenticated site users such as hotel administrators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running VikBooking ≤1.8.12
Delivery
Confirm public page with roomslist shortcode
Exploit
Craft URL with malicious layoutstyle payload
Execution
Deliver link to victim via phishing
Persist
Victim clicks link, page renders injected script
Impact
Script exfiltrates session cookie or performs admin action

Vulnerability AssessmentAI

Exploitation Exploitation requires three specific, concurrent conditions. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) is appropriate: network-reachable, low complexity, no authentication required, but dependent on user interaction and producing only limited confidentiality and integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a hotel website identifies a publicly accessible WordPress page rendering the `[vikbooking view="roomslist"]` shortcode. The attacker crafts a URL appending a malicious `layoutstyle` parameter containing a JavaScript payload (e.g., a cookie-stealing script) and delivers it to a logged-in hotel administrator via a phishing email or social media message. …
Remediation Update VikBooking to version 1.8.13 or later, which contains the corrected output escaping in `site/views/roomslist/tmpl/default.php` per the upstream Trac repository (https://plugins.trac.wordpress.org/browser/vikbooking/tags/1.8.13/site/views/roomslist/tmpl/default.php#L46). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12754 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy