Stored Cross-Site Scripting in VikBooking Hotel Booking Engine & PMS Plugin
CVE-2026-6820
7.2HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 8 July 2026
What is CVE-2026-6820?
The VikBooking Hotel Booking Engine & PMS plugin for WordPress has a vulnerability that allows for Stored Cross-Site Scripting (XSS) attacks via the 'email' parameter. This issue arises from insufficient input sanitization and output escaping in all versions up to 1.8.8. Unauthenticated attackers can exploit this vulnerability to inject arbitrary web scripts. When users access the affected pages, these scripts are executed in their browsers, leading to potential data theft or unauthorized access. Website administrators are advised to update to a patched version and implement security measures to prevent such vulnerabilities.
Affected Version(s)
VikBooking Hotel Booking Engine & PMS 0 <= 1.8.8