The vulnerability is a DOM‑based cross‑site scripting flaw in the VikBooking Hotel Booking Engine & PMS plugin that fails to properly neutralize user input when rendering web pages. An attacker who can supply crafted input—most likely via URL parameters or form fields—can cause the victim’s browser to execute arbitrary JavaScript in the context of the site. This can lead to theft of session cookies, defacement of the site’s content, or further phishing attacks against site users. While the flaw does not grant direct server‑side code execution, the impact on confidentiality, integrity and availability of user data can be severe.

The issue affects the e4jvikwp VikBooking Hotel Booking Engine & PMS plugin for WordPress versions from the initial release up to and including 1.8.8. Any installation running a version of the plugin at or below 1.8.8 is vulnerable until updated to at least 1.8.9.

The CVSS score of 7.1 indicates a high severity risk. Because the flaw is DOM‑based, the attacker must lure a victim into visiting a malicious URL; the exploitation is client‑side and does not require specialized or privileged access to the server. No exploit is currently listed in CISA’s KEV catalog, and the EPSS score is not available, so the current likelihood of exploitation is uncertain. However, given the high impact and the relative ease of deploying a malicious link, administrators should treat this threat as potentially impactful.