Skip to main content

VikBooking EUVDEUVD-2026-32209

| CVE-2026-42762 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-27 audit@patchstack.com GHSA-vwhq-hq29-j28g
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:56 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows DOM-Based XSS.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.9.

AnalysisAI

DOM-based cross-site scripting in the VikBooking Hotel Booking Engine & PMS WordPress plugin (all versions up to and including 1.8.9) lets a remote, unauthenticated attacker run arbitrary JavaScript in a victim's browser when the victim is lured into interacting with a crafted link or page. Because the script executes client-side with changed scope (S:C), it can affect resources beyond the vulnerable component, such as the WordPress admin or booking sessions. EPSS is very low (0.03%, 10th percentile) and there is no public exploit identified at time of analysis, so this is a real but lower-urgency client-side issue rather than a mass-exploitation threat.

Technical ContextAI

VikBooking is a commercial hotel reservation and property-management plugin for WordPress (vendor e4jvikwp). The flaw is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and is specifically DOM-based, meaning untrusted input is written into the page's Document Object Model by client-side JavaScript without proper neutralization, rather than being reflected or stored server-side. DOM XSS executes entirely in the browser when sink functions (e.g., innerHTML, document.write, location-derived data) consume attacker-controllable values from the page URL or other client sources, so the malicious payload may never appear in server logs. No CPE strings were provided in the input; affected-product identification relies on the EUVD version range and the Patchstack reference for the WordPress 'vikbooking' plugin.

RemediationAI

Upgrade the VikBooking plugin to the first release published after 1.8.9 (a fixed version number is not specified in the available data, so confirm the patched release directly via the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-8-9-cross-site-scripting-xss-vulnerability and the vendor/WordPress.org plugin page before deploying). Because the exact patched version is not independently confirmed in this dataset, monitor for the vendor's update and apply it once released. As compensating controls until patched: deploy a web application firewall or virtual patch (Patchstack offers one for this CVE) to filter XSS payloads; add a restrictive Content-Security-Policy header to limit inline script execution and untrusted script sources (side effect: may break legitimate inline scripts and require tuning); and restrict or monitor access to the affected booking pages. Avoid distributing or clicking untrusted links targeting the booking interface, since exploitation requires user interaction.

Share

EUVD-2026-32209 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy