Description
The VikRentItems Flexible Rental Management System plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'delto' parameter in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-12-12
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an instance of Reflected Cross‑Site Scripting, originating from insufficient input sanitization and output escaping of the 'delto' parameter. It allows an unauthenticated attacker to inject arbitrary JavaScript into web pages that the victim's browser will render, potentially enabling phishing, credential theft, or malicious script execution. The weakness aligns with CWE‑79 and can compromise user data and trust in the website.

Affected Systems

The issue affects the VikRentItems Flexible Rental Management System plugin for WordPress, specifically all releases up to and including version 1.2.0. Users running a WordPress site with this plugin installed are susceptible; no other vendors or products are implicated by the available data.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The vulnerability is not listed in CISA KEV, implying no confirmed large‑scale attacks yet. If an attacker can lure a user to interact with a specially crafted URL containing a malicious 'delto' payload, the XSS will occur on the victim's browser. The lack of authentication requirement and the reflected nature of the flaw make this an easily exploitable vector for phishing or script injection.

Generated by OpenCVE AI on April 22, 2026 at 00:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the VikRentItems plugin to the latest version available, ensuring that the version is greater than 1.2.0.
  • If an immediate upgrade is not feasible, configure the WordPress instance to block or sanitize the 'delto' parameter, for example by using a security plugin that strips or escapes user‑supplied data in URLs.
  • Deploy a web application firewall (WAF) or enable a CSRF/XSS protection plugin to detect and mitigate reflected XSS attempts before they reach the browser.

Generated by OpenCVE AI on April 22, 2026 at 00:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared E4jvikwp
E4jvikwp vikrentitems Flexible Rental Management System
Wordpress
Wordpress wordpress
Vendors & Products E4jvikwp
E4jvikwp vikrentitems Flexible Rental Management System
Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 07:30:00 +0000

Type Values Removed Values Added
Description The VikRentItems Flexible Rental Management System plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'delto' parameter in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title VikRentItems Flexible Rental Management System <= 1.2.0 - Reflected Cross-Site Scripting via 'delto' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

E4jvikwp Vikrentitems Flexible Rental Management System
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:52:36.499Z

Reserved: 2025-12-04T16:54:45.261Z

Link: CVE-2025-14049

cve-icon Vulnrichment

Updated: 2025-12-12T20:44:54.115Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T08:15:47.663

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14049

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:15:03Z

Weaknesses