Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Unauthenticated network-reachable stored injection (AV:N/AC:L/PR:N); scope change as payload executes in a separate victim browser context (S:C) with limited confidentiality/integrity impact and no availability effect.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'email' parameter in all versions up to, and including, 1.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored cross-site scripting in the VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.8) lets unauthenticated remote attackers persist arbitrary JavaScript via the 'email' parameter, which then executes in the browser of any user - including hotel staff and admins - who later views the affected page. Because the injection point is reachable without authentication and the payload is stored server-side, it enables session hijacking, admin action forgery, and content defacement against booking-management back offices. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target run VikBooking 1.8.8 or earlier and expose the booking/submission workflow that accepts the 'email' parameter to untrusted users - the default deployment for a public hotel booking site. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, base 7.2 High) reflects a network-reachable, low-complexity, unauthenticated injection with a scope change - consistent with stored XSS whose payload crosses from the attacker into a victim's authenticated browser session. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker submits a booking or contact interaction to a VikBooking-powered site, placing a script payload (e.g., a cookie-exfiltration or admin-action snippet) into the 'email' field. The value is stored and later rendered without escaping when hotel staff open the corresponding record in the WordPress admin, executing the attacker's JavaScript in the administrator's authenticated session. … |
| Remediation | Vendor-released patch: upgrade to VikBooking 1.8.9 or later, which adds the missing input sanitization and output escaping on the 'email' parameter in both the front-end and admin controllers; this is the primary and complete fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Disable VikBooking plugin on all WordPress installations running version 1.8.8 or earlier; audit server logs for malicious email parameter submissions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8 allows direct access to menus, allowing an authe
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8's access control mechanism fails to properly res
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.7.2 does not sanitise and escape some of its setting
Cross-Site Request Forgery (CSRF) vulnerability in E4J s.R.L. Rated high severity (CVSS 8.8), this vulnerability is remo
Arbitrary file deletion in the VikBooking Hotel Booking Engine & PMS WordPress plugin (versions up to and including 1.8.
Stored cross-site scripting in the VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.
Reflected Cross-Site Scripting in VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.1
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versio
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42231
GHSA-v4gf-r4fj-p25m