Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows DOM-Based XSS.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.9.
Published: 2026-05-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in improper neutralization of user input during web page generation, leading to a DOM-based cross-site scripting flaw. An attacker can inject malicious JavaScript into pages rendered by the VikBooking plugin, which may steal session cookies, deface content, or redirect users to phishing sites. The flaw could be exploited by attackers who can influence user inputs or URLs that the plugin processes.

Affected Systems

The issue affects the WordPress plugin VikBooking Hotel Booking Engine & PMS from its earliest releases through version 1.8.9. Administrators of sites running these plugin versions are at risk, regardless of their WordPress core version.

Risk and Exploitability

The CVSS score is 7.1, indicating a high severity with potential impact on confidentiality and integrity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attack execution requires a client-side interaction, such that a user is tricked into visiting a crafted link or input that the plugin does not properly sanitize. While no public exploit scripts are documented, the DOM-based nature means that typical phishing or drive-by-attack vectors could be used.

Generated by OpenCVE AI on May 27, 2026 at 12:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade VikBooking to the latest version that addresses the XSS flaw; the current fix is available in releases newer than 1.8.9.
  • If an upgrade cannot be performed immediately, configure the plugin’s input handling to encode or escape all user-supplied data before rendering, ensuring that no untrusted content can execute scripts.
  • Deploy a Content Security Policy that restricts script sources to trusted origins and blocks inline scripts, reducing the impact of any remaining XSS vectors.
  • Monitor user-generated content and audit for unexpected script tags, and review login logs for suspicious activities.

Generated by OpenCVE AI on May 27, 2026 at 12:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows DOM-Based XSS.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.9.
Title WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.9 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-27T10:47:29.773Z

Reserved: 2026-04-29T09:05:44.122Z

Link: CVE-2026-42762

cve-icon Vulnrichment

Updated: 2026-05-27T10:47:24.611Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T11:16:22.897

Modified: 2026-05-27T14:50:47.627

Link: CVE-2026-42762

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T12:15:05Z

Weaknesses