Reflected Cross-Site Scripting in VikBooking Hotel Booking Engine for WordPress
CVE-2026-12754
6.1MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 1 July 2026
What is CVE-2026-12754?
The VikBooking Hotel Booking Engine & PMS plugin for WordPress is susceptible to reflected cross-site scripting (XSS) due to inadequate input validation and output escaping. This vulnerability resides in the 'layoutstyle' parameter, present in all versions up to and including 1.8.12. Attackers can exploit this weakness by injecting arbitrary scripts into pages that utilize the [vikbooking view="roomslist"] shortcode. If a user is tricked into clicking a malicious link, the attacker can execute harmful scripts in the user's browser session, potentially compromising sensitive data and website integrity.
Affected Version(s)
VikBooking Hotel Booking Engine & PMS 0 <= 1.8.12