The vulnerability is a missing authorization check in the VikBooking plugin for WordPress. When this flaw is present, users with limited privileges can access or modify administrative functions that should be restricted. The flaw is categorized as a broken access control (CWE‑862). The impact is that attackers could potentially view, edit or delete booking data, cancel reservations, or change booking settings, compromising data confidentiality and integrity. The description does not indicate remote code execution or denial of service but clearly permits unauthorized privilege escalation.

The affected product is the VikBooking Hotel Booking Engine & PMS plugin for WordPress developed by e4jvikwp. All installations running versions from the first public release up to and including 1.8.2 are vulnerable. No specific distribution or operating system restrictions are indicated.

The CVSS score of 5.3 indicates a moderate risk. The EPSS score is below 1%, suggesting a low probability of exploitation at this point. The vulnerability is not listed in the CISA KEV catalog. Because the flaw involves a missing authorization check, the likely attack vector is an authenticated user who is able to elevate privileges by accessing restricted administrative endpoints. As no further technical details are supplied, it is inferred that the attacker would need access to a regular user account, after which the broken check would allow unauthorized actions.