Stored Cross-Site Scripting in VikBooking Hotel Booking Engine & PMS Plugin
CVE-2026-6820

7.2HIGH

What is CVE-2026-6820?

The VikBooking Hotel Booking Engine & PMS plugin for WordPress has a vulnerability that allows for Stored Cross-Site Scripting (XSS) attacks via the 'email' parameter. This issue arises from insufficient input sanitization and output escaping in all versions up to 1.8.8. Unauthenticated attackers can exploit this vulnerability to inject arbitrary web scripts. When users access the affected pages, these scripts are executed in their browsers, leading to potential data theft or unauthorized access. Website administrators are advised to update to a patched version and implement security measures to prevent such vulnerabilities.

Affected Version(s)

VikBooking Hotel Booking Engine & PMS 0 <= 1.8.8

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Naoya Takahashi (nakko)
.