Skip to main content

VikBooking CVE-2026-6820

| EUVDEUVD-2026-42231 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-08 Wordfence GHSA-v4gf-r4fj-p25m
7.2
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
7.2 HIGH

Unauthenticated network-reachable stored injection (AV:N/AC:L/PR:N); scope change as payload executes in a separate victim browser context (S:C) with limited confidentiality/integrity impact and no availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 13:18 vuln.today
CVE Published
Jul 08, 2026 - 12:33 cve.org
HIGH 7.2

DescriptionCVE.org

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'email' parameter in all versions up to, and including, 1.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored cross-site scripting in the VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.8) lets unauthenticated remote attackers persist arbitrary JavaScript via the 'email' parameter, which then executes in the browser of any user - including hotel staff and admins - who later views the affected page. Because the injection point is reachable without authentication and the payload is stored server-side, it enables session hijacking, admin action forgery, and content defacement against booking-management back offices. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach public booking submission endpoint
Delivery
Inject script via 'email' parameter
Exploit
Payload stored unsanitized in booking record
Execution
Admin/staff opens record page
Persist
Script executes in victim session
Impact
Hijack session or forge admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target run VikBooking 1.8.8 or earlier and expose the booking/submission workflow that accepts the 'email' parameter to untrusted users - the default deployment for a public hotel booking site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, base 7.2 High) reflects a network-reachable, low-complexity, unauthenticated injection with a scope change - consistent with stored XSS whose payload crosses from the attacker into a victim's authenticated browser session. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker submits a booking or contact interaction to a VikBooking-powered site, placing a script payload (e.g., a cookie-exfiltration or admin-action snippet) into the 'email' field. The value is stored and later rendered without escaping when hotel staff open the corresponding record in the WordPress admin, executing the attacker's JavaScript in the administrator's authenticated session. …
Remediation Vendor-released patch: upgrade to VikBooking 1.8.9 or later, which adds the missing input sanitization and output escaping on the 'email' parameter in both the front-end and admin controllers; this is the primary and complete fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable VikBooking plugin on all WordPress installations running version 1.8.8 or earlier; audit server logs for malicious email parameter submissions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6820 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy