Reflected Cross-Site Scripting in VikBooking Hotel Booking Engine for WordPress
CVE-2026-12754

6.1MEDIUM

What is CVE-2026-12754?

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is susceptible to reflected cross-site scripting (XSS) due to inadequate input validation and output escaping. This vulnerability resides in the 'layoutstyle' parameter, present in all versions up to and including 1.8.12. Attackers can exploit this weakness by injecting arbitrary scripts into pages that utilize the [vikbooking view="roomslist"] shortcode. If a user is tricked into clicking a malicious link, the attacker can execute harmful scripts in the user's browser session, potentially compromising sensitive data and website integrity.

Affected Version(s)

VikBooking Hotel Booking Engine & PMS 0 <= 1.8.12

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

PRISM
.