Skip to main content

VikBooking CVE-2026-6818

| EUVDEUVD-2026-42214 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-08 Wordfence GHSA-4827-4gjr-3cr2
7.2
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Unauthenticated network injection (PR:N/AV:N/AC:L) but the stored payload only fires when an operator opens the admin order page (UI:R), executing across a security boundary (S:C) with limited C/I impact and no availability effect.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 12:37 vuln.today
CVE Published
Jul 08, 2026 - 11:30 nvd
HIGH 7.2

DescriptionCVE.org

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'special_requests' parameter in all versions up to, and including, 1.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored cross-site scripting in the VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.8) lets unauthenticated attackers persist arbitrary JavaScript via the 'special_requests' booking field, which then executes when a hotel operator or user views the injected order in the admin back-end. Reported by Wordfence with a CVSS 7.2 (scope-changed) rating; no public exploit identified at time of analysis and it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Submit booking with malicious special_requests
Delivery
Payload stored unsanitized in database
Exploit
Operator opens order in admin view
Execution
Script executes in privileged session
Impact
Hijack session or perform admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target site runs VikBooking 1.8.8 or earlier and that the attacker can reach the public booking workflow to submit a 'special_requests' value - the exact field named in the advisory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, 7.2 High) reflects unauthenticated, low-complexity, network-reachable injection with a scope change into the admin context, but only Low confidentiality/integrity impact and no availability impact - consistent with stored XSS rather than direct code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker submits a hotel booking through the public VikBooking form and places a JavaScript payload (e.g., an image tag with an onerror handler) in the 'special_requests' field. When a hotel staff member later opens that reservation in the WordPress admin order view, the script executes in their authenticated session, enabling actions such as cookie/session theft or admin-panel actions on their behalf. …
Remediation Vendor-released patch: update the VikBooking plugin to version 1.8.9 or later, which adds the missing sanitization/escaping on the 'special_requests' field (patched files viewable at https://plugins.trac.wordpress.org/browser/vikbooking/tags/1.8.9/). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations running VikBooking versions ≤1.8.8; instruct hotel operations staff to report any suspicious characters or code-like text in booking special requests fields. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6818 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy