Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS allows DOM-Based XSS.
This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through 1.8.8.
AnalysisAI
DOM-based cross-site scripting in the e4jvikwp VikBooking Hotel Booking Engine & PMS WordPress plugin (versions up to and including 1.8.8) allows remote attackers to execute arbitrary JavaScript in a victim's browser after the victim interacts with a crafted link or page element. With CVSS 7.1 reflecting a scope change and user interaction requirement, the flaw can be used to hijack hotel administrator sessions or guest-facing booking workflows, though no public exploit identified at time of analysis.
Technical ContextAI
VikBooking is a commercial WordPress plugin from e4jvikwp providing hotel reservation and property management functionality, exposing both customer-facing booking forms and an administrative backend. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a DOM-based variant where client-side JavaScript writes attacker-controllable input into the page DOM (e.g., via document.write, innerHTML, or unsanitized location/hash parsing) without proper encoding. Unlike reflected or stored XSS, DOM-based XSS is executed entirely in the browser and may not be visible in server logs, making detection harder. The scope-changed CVSS vector (S:C) suggests injected script can affect resources beyond the originally vulnerable component, consistent with a WordPress plugin context where escaped boundaries (admin vs. user UI) can be crossed.
RemediationAI
Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data - administrators should consult the Patchstack entry at https://patchstack.com/database/wordpress/plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-8-8-cross-site-scripting-xss-vulnerability and upgrade VikBooking to any release later than 1.8.8 once published by e4jvikwp. As compensating controls until patched, deploy a WordPress-aware WAF (Patchstack, Wordfence) with virtual patching rules for this CVE, enforce a strict Content-Security-Policy header that disallows inline script and restricts script-src to known origins (note: this may break legitimate plugin functionality and must be tested in staging), restrict access to the WordPress admin path via IP allow-listing or HTTP basic auth so that authenticated admins cannot be lured to crafted URLs from untrusted networks, and require administrators to use a separate browser profile when accessing /wp-admin to limit session theft impact.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33653
GHSA-g788-x856-768h