Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows DOM-Based XSS.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.9.
AnalysisAI
DOM-based cross-site scripting in the VikBooking Hotel Booking Engine & PMS WordPress plugin (all versions up to and including 1.8.9) lets a remote, unauthenticated attacker run arbitrary JavaScript in a victim's browser when the victim is lured into interacting with a crafted link or page. Because the script executes client-side with changed scope (S:C), it can affect resources beyond the vulnerable component, such as the WordPress admin or booking sessions. EPSS is very low (0.03%, 10th percentile) and there is no public exploit identified at time of analysis, so this is a real but lower-urgency client-side issue rather than a mass-exploitation threat.
Technical ContextAI
VikBooking is a commercial hotel reservation and property-management plugin for WordPress (vendor e4jvikwp). The flaw is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and is specifically DOM-based, meaning untrusted input is written into the page's Document Object Model by client-side JavaScript without proper neutralization, rather than being reflected or stored server-side. DOM XSS executes entirely in the browser when sink functions (e.g., innerHTML, document.write, location-derived data) consume attacker-controllable values from the page URL or other client sources, so the malicious payload may never appear in server logs. No CPE strings were provided in the input; affected-product identification relies on the EUVD version range and the Patchstack reference for the WordPress 'vikbooking' plugin.
RemediationAI
Upgrade the VikBooking plugin to the first release published after 1.8.9 (a fixed version number is not specified in the available data, so confirm the patched release directly via the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-8-9-cross-site-scripting-xss-vulnerability and the vendor/WordPress.org plugin page before deploying). Because the exact patched version is not independently confirmed in this dataset, monitor for the vendor's update and apply it once released. As compensating controls until patched: deploy a web application firewall or virtual patch (Patchstack offers one for this CVE) to filter XSS payloads; add a restrictive Content-Security-Policy header to limit inline script execution and untrusted script sources (side effect: may break legitimate inline scripts and require tuning); and restrict or monitor access to the affected booking pages. Avoid distributing or clicking untrusted links targeting the booking interface, since exploitation requires user interaction.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32209
GHSA-vwhq-hq29-j28g