The vendor plugin VikBooking Hotel Booking Engine & PMS contains an insertion flaw that allows sensitive information to be embedded into outgoing data streams. This flaw is classified as a Sensitive Information Exposure weakness and is catalogued as CWE-201. An attacker can obtain confidential data by exploiting the plugin's data handling routines, potentially revealing customer personal details or payment information.

This vulnerability affects the WordPress plugin noted as e4jvikwp:VikBooking Hotel Booking Engine & PMS. The issue is present in all versions from the initial release up to and including 1.8.2. No other product versions are listed as impacted.

The CVSS score of 5.9 suggests a moderate severity risk. The EPSS score of less than 1% indicates that the probability of exploitation is currently very low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred to involve access to the plugin’s administrative interface or to the data exposed through the web application, although the description does not explicitly state the vector. In practice, an attacker would need some level of user interaction or a compromising environment to trigger the data leakage. Because the exploitation pathway is not fully described, a defensive posture remains prudent but the risk of an undetected incident is considered limited at present.