Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network-accessible reflected XSS with scope change; no auth required but victim click mandatory; shortcode condition does not raise AC beyond Low for a site actively using VikBooking.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'layoutstyle' parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Exploitation requires the targeted page to render the [vikbooking view="roomslist"] shortcode, as the vulnerable layoutstyle parameter is only processed in that view context.
AnalysisAI
Reflected Cross-Site Scripting in VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.12) allows unauthenticated remote attackers to inject arbitrary JavaScript into victims' browsers by tricking them into clicking a crafted URL. The vulnerable layoutstyle parameter is insufficiently sanitized before being rendered in the roomslist view template, enabling session hijacking, credential theft, or malicious redirects against authenticated site users such as hotel administrators. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three specific, concurrent conditions. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) is appropriate: network-reachable, low complexity, no authentication required, but dependent on user interaction and producing only limited confidentiality and integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targeting a hotel website identifies a publicly accessible WordPress page rendering the `[vikbooking view="roomslist"]` shortcode. The attacker crafts a URL appending a malicious `layoutstyle` parameter containing a JavaScript payload (e.g., a cookie-stealing script) and delivers it to a logged-in hotel administrator via a phishing email or social media message. … |
| Remediation | Update VikBooking to version 1.8.13 or later, which contains the corrected output escaping in `site/views/roomslist/tmpl/default.php` per the upstream Trac repository (https://plugins.trac.wordpress.org/browser/vikbooking/tags/1.8.13/site/views/roomslist/tmpl/default.php#L46). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8 allows direct access to menus, allowing an authe
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8's access control mechanism fails to properly res
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.7.2 does not sanitise and escape some of its setting
Cross-Site Request Forgery (CSRF) vulnerability in E4J s.R.L. Rated high severity (CVSS 8.8), this vulnerability is remo
Arbitrary file deletion in the VikBooking Hotel Booking Engine & PMS WordPress plugin (versions up to and including 1.8.
Stored cross-site scripting in the VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.
Stored cross-site scripting in the VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versio
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40939
GHSA-qvwp-h68m-3pjc