Impact
The VikBooking Hotel Booking Engine & PMS plugin is vulnerable to a reflected cross‑site scripting flaw exposed through the "layoutstyle" query parameter. Untrusted input is neither sanitized nor correctly escaped when rendering the [vikbooking view="roomslist"] shortcode, permitting attackers to inject arbitrary scripts that execute in the victim’s browser. This can lead to credential theft, defacement, or session hijacking as the script runs with the victim’s privileges.
Affected Systems
WordPress sites running the VikBooking Hotel Booking Engine & PMS plugin version 1.8.12 or earlier, supplied by the vendor e4jvikwp. The vulnerability exists only in those affected releases and is triggered when the page displays the rooms list view. No later versions are mentioned as affected.
Risk and Exploitability
The CVSS score of 6.1 indicates a moderate severity for this XSS issue. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. Exploitation is remote, unauthenticated, and relies on a victim being tricked into visiting a crafted URL that includes a malicious "layoutstyle" value. Once the page loads, the attacker’s script runs in the victim’s browser, enabling a range of client‑side attacks.
OpenCVE Enrichment