Search
Find a vulnerability
Search criteria
20 vulnerabilities found for VikBooking Hotel Booking Engine & PMS by e4jvikwp
CVE-2026-57723 (GCVE-0-2026-57723)
Vulnerability from nvd – Published: 2026-07-01 17:08 – Updated: 2026-07-01 17:57 X_Open Source
VLAI
Title
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.12 - CSRF to Arbitrary File Deletion vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS allows Path Traversal.
This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through 1.8.12.
Severity
7.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| e4jvikwp | VikBooking Hotel Booking Engine & PMS |
Affected:
n/a , ≤ 1.8.12
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-57723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T17:56:47.302399Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T17:57:59.550Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "vikbooking",
"product": "VikBooking Hotel Booking Engine \u0026 PMS",
"vendor": "e4jvikwp",
"versions": [
{
"changes": [
{
"at": "1.8.13",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.8.12",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "VDsec | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026amp; PMS allows Path Traversal.\u003cp\u003eThis issue affects VikBooking Hotel Booking Engine \u0026amp; PMS: from n/a through 1.8.12.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS allows Path Traversal.\n\nThis issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through 1.8.12."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T17:08:43.612Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-8-12-csrf-to-arbitrary-file-deletion-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress VikBooking Hotel Booking Engine \u0026 PMS Plugin to the latest available version (at least 1.8.13)."
}
],
"value": "Update the WordPress VikBooking Hotel Booking Engine \u0026 PMS Plugin to the latest available version (at least 1.8.13)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress VikBooking Hotel Booking Engine \u0026 PMS plugin \u003c= 1.8.12 - CSRF to Arbitrary File Deletion vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-57723",
"datePublished": "2026-07-01T17:08:43.612Z",
"dateReserved": "2026-06-25T08:04:13.263Z",
"dateUpdated": "2026-07-01T17:57:59.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12754 (GCVE-0-2026-12754)
Vulnerability from nvd – Published: 2026-07-01 08:30 – Updated: 2026-07-01 10:32
VLAI
Title
VikBooking Hotel Booking Engine & PMS <= 1.8.12 - Reflected Cross-Site Scripting via 'layoutstyle' Parameter
Summary
The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'layoutstyle' parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Exploitation requires the targeted page to render the [vikbooking view="roomslist"] shortcode, as the vulnerable layoutstyle parameter is only processed in that view context.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| e4jvikwp | VikBooking Hotel Booking Engine & PMS |
Affected:
0 , ≤ 1.8.12
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12754",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T10:25:19.577828Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T10:32:03.194Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "VikBooking Hotel Booking Engine \u0026 PMS",
"vendor": "e4jvikwp",
"versions": [
{
"lessThanOrEqual": "1.8.12",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The VikBooking Hotel Booking Engine \u0026 PMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027layoutstyle\u0027 parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Exploitation requires the targeted page to render the [vikbooking view=\"roomslist\"] shortcode, as the vulnerable layoutstyle parameter is only processed in that view context."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T08:30:05.314Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d126213-e342-4271-aca0-5cc47214ae8b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/vikbooking/tags/1.8.12/site/views/roomslist/tmpl/default.php#L46"
},
{
"url": "https://plugins.trac.wordpress.org/browser/vikbooking/tags/1.8.12/site/views/roomslist/tmpl/default.php#L26"
},
{
"url": "https://plugins.trac.wordpress.org/browser/vikbooking/tags/1.8.12/libraries/adapter/input/filter.php#L385"
},
{
"url": "https://plugins.trac.wordpress.org/browser/vikbooking/tags/1.8.13/site/views/roomslist/tmpl/default.php#L46"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-19T19:45:37.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-30T20:07:22.000Z",
"value": "Disclosed"
}
],
"title": "VikBooking Hotel Booking Engine \u0026 PMS \u003c= 1.8.12 - Reflected Cross-Site Scripting via \u0027layoutstyle\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12754",
"datePublished": "2026-07-01T08:30:05.314Z",
"dateReserved": "2026-06-19T19:29:52.724Z",
"dateUpdated": "2026-07-01T10:32:03.194Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42683 (GCVE-0-2026-42683)
Vulnerability from nvd – Published: 2026-06-01 14:44 – Updated: 2026-06-01 16:18 X_Open Source
VLAI
Title
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.8 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS allows DOM-Based XSS.
This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through 1.8.8.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| e4jvikwp | VikBooking Hotel Booking Engine & PMS |
Affected:
n/a , ≤ 1.8.8
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42683",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T16:14:43.019257Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:18:35.103Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "vikbooking",
"product": "VikBooking Hotel Booking Engine \u0026 PMS",
"vendor": "e4jvikwp",
"versions": [
{
"changes": [
{
"at": "1.8.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.8.8",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Evan NR | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026amp; PMS allows DOM-Based XSS.\u003cp\u003eThis issue affects VikBooking Hotel Booking Engine \u0026amp; PMS: from n/a through 1.8.8.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS allows DOM-Based XSS.\n\nThis issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through 1.8.8."
}
],
"impacts": [
{
"capecId": "CAPEC-588",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-588 DOM-Based XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T14:44:38.472Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-8-8-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress VikBooking Hotel Booking Engine \u0026 PMS Plugin to the latest available version (at least 1.8.9)."
}
],
"value": "Update the WordPress VikBooking Hotel Booking Engine \u0026 PMS Plugin to the latest available version (at least 1.8.9)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress VikBooking Hotel Booking Engine \u0026 PMS plugin \u003c= 1.8.8 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-42683",
"datePublished": "2026-06-01T14:44:38.472Z",
"dateReserved": "2026-04-29T09:04:56.882Z",
"dateUpdated": "2026-06-01T16:18:35.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42762 (GCVE-0-2026-42762)
Vulnerability from nvd – Published: 2026-05-27 09:49 – Updated: 2026-05-27 10:47
VLAI
Title
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.9 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows DOM-Based XSS.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.9.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| e4jvikwp | VikBooking Hotel Booking Engine & PMS |
Affected:
0 , ≤ 1.8.9
(custom)
|
Date Public
2026-05-27 11:08
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42762",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T10:42:18.379695Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T10:47:29.773Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "vikbooking",
"product": "VikBooking Hotel Booking Engine \u0026 PMS",
"vendor": "e4jvikwp",
"versions": [
{
"changes": [
{
"at": "1.8.10",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.8.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "anhcd05 | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-05-27T11:08:54.381Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS vikbooking allows DOM-Based XSS.\u003cp\u003eThis issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through \u003c= 1.8.9.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS vikbooking allows DOM-Based XSS.This issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through \u003c= 1.8.9."
}
],
"impacts": [
{
"capecId": "CAPEC-588",
"descriptions": [
{
"lang": "en",
"value": "DOM-Based XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T09:49:06.084Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-8-9-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress VikBooking Hotel Booking Engine \u0026 PMS plugin \u003c= 1.8.9 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-42762",
"datePublished": "2026-05-27T09:49:06.084Z",
"dateReserved": "2026-04-29T09:05:44.122Z",
"dateUpdated": "2026-05-27T10:47:29.773Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42737 (GCVE-0-2026-42737)
Vulnerability from nvd – Published: 2026-05-27 09:49 – Updated: 2026-05-27 10:52
VLAI
Title
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.9 - Arbitrary File Deletion vulnerability
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Path Traversal.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.9.
Severity
8.6 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| e4jvikwp | VikBooking Hotel Booking Engine & PMS |
Affected:
0 , ≤ 1.8.9
(custom)
|
Date Public
2026-05-27 11:08
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42737",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T10:45:34.302524Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T10:52:10.500Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "vikbooking",
"product": "VikBooking Hotel Booking Engine \u0026 PMS",
"vendor": "e4jvikwp",
"versions": [
{
"changes": [
{
"at": "1.8.10",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.8.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "dodoh4t | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-05-27T11:08:52.565Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS vikbooking allows Path Traversal.\u003cp\u003eThis issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through \u003c= 1.8.9.\u003c/p\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS vikbooking allows Path Traversal.This issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through \u003c= 1.8.9."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T09:49:04.590Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-8-9-arbitrary-file-deletion-vulnerability?_s_id=cve"
}
],
"title": "WordPress VikBooking Hotel Booking Engine \u0026 PMS plugin \u003c= 1.8.9 - Arbitrary File Deletion vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-42737",
"datePublished": "2026-05-27T09:49:04.590Z",
"dateReserved": "2026-04-29T09:05:25.570Z",
"dateUpdated": "2026-05-27T10:52:10.500Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-49918 (GCVE-0-2025-49918)
Vulnerability from nvd – Published: 2025-12-18 07:21 – Updated: 2026-04-28 16:13
VLAI
Title
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.2 - Sensitive Data Exposure vulnerability
Summary
Insertion of Sensitive Information Into Sent Data vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Retrieve Embedded Sensitive Data.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.2.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| e4jvikwp | VikBooking Hotel Booking Engine & PMS |
Affected:
0 , ≤ 1.8.2
(custom)
|
Date Public
2026-04-22 14:23
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49918",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T19:34:17.819379Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T19:38:45.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "vikbooking",
"product": "VikBooking Hotel Booking Engine \u0026 PMS",
"vendor": "e4jvikwp",
"versions": [
{
"changes": [
{
"at": "1.8.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "daroo | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-22T14:23:38.230Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insertion of Sensitive Information Into Sent Data vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS vikbooking allows Retrieve Embedded Sensitive Data.\u003cp\u003eThis issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through \u003c= 1.8.2.\u003c/p\u003e"
}
],
"value": "Insertion of Sensitive Information Into Sent Data vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS vikbooking allows Retrieve Embedded Sensitive Data.This issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through \u003c= 1.8.2."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:13:07.897Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-8-2-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"title": "WordPress VikBooking Hotel Booking Engine \u0026 PMS plugin \u003c= 1.8.2 - Sensitive Data Exposure vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-49918",
"datePublished": "2025-12-18T07:21:44.067Z",
"dateReserved": "2025-06-11T16:06:59.982Z",
"dateUpdated": "2026-04-28T16:13:07.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5803 (GCVE-0-2025-5803)
Vulnerability from nvd – Published: 2025-11-06 15:54 – Updated: 2026-04-28 16:13
VLAI
Title
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.2 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.2.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| e4jvikwp | VikBooking Hotel Booking Engine & PMS |
Affected:
0 , ≤ 1.8.2
(custom)
|
Date Public
2026-04-22 14:24
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5803",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T18:43:03.079349Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T18:43:06.152Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "vikbooking",
"product": "VikBooking Hotel Booking Engine \u0026 PMS",
"vendor": "e4jvikwp",
"versions": [
{
"changes": [
{
"at": "1.8.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "daroo | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-22T14:24:56.313Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS vikbooking.\u003cp\u003eThis issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through \u003c= 1.8.2.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS vikbooking.This issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through \u003c= 1.8.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:13:40.872Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-8-2-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress VikBooking Hotel Booking Engine \u0026 PMS plugin \u003c= 1.8.2 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-5803",
"datePublished": "2025-11-06T15:54:18.609Z",
"dateReserved": "2025-06-06T10:04:42.368Z",
"dateUpdated": "2026-04-28T16:13:40.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22670 (GCVE-0-2025-22670)
Vulnerability from nvd – Published: 2025-03-27 14:14 – Updated: 2026-04-28 16:11
VLAI
Title
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.7.2 - CSRF to Settings Change vulnerability
Summary
Missing Authorization vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.7.2.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| e4jvikwp | VikBooking Hotel Booking Engine & PMS |
Affected:
0 , ≤ 1.7.2
(custom)
|
Date Public
2026-04-01 16:31
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22670",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T15:39:19.795521Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T15:39:25.404Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "vikbooking",
"product": "VikBooking Hotel Booking Engine \u0026 PMS",
"vendor": "e4jvikwp",
"versions": [
{
"changes": [
{
"at": "1.7.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.7.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dhabaleshwar Das | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:31:52.607Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS vikbooking allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through \u003c= 1.7.2.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS vikbooking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through \u003c= 1.7.2."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:04.215Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-7-2-csrf-to-settings-change-vulnerability?_s_id=cve"
}
],
"title": "WordPress VikBooking Hotel Booking Engine \u0026 PMS plugin \u003c= 1.7.2 - CSRF to Settings Change vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-22670",
"datePublished": "2025-03-27T14:14:49.403Z",
"dateReserved": "2025-01-07T21:02:59.478Z",
"dateUpdated": "2026-04-28T16:11:04.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11641 (GCVE-0-2024-11641)
Vulnerability from nvd – Published: 2025-01-26 11:09 – Updated: 2026-04-08 16:59
VLAI
Title
VikBooking Hotel Booking Engine & PMS <= 1.7.2 - Cross-Site Request Forgery to Authenticated (Subscriber+) Arbitrary File Upload
Summary
The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.2. This is due to missing or incorrect nonce validation on the 'save' function. This makes it possible for unauthenticated attackers to change plugin access privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows attackers with subscriber-level privileges and above to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| e4jvikwp | VikBooking Hotel Booking Engine & PMS |
Affected:
0 , ≤ 1.7.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11641",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T15:31:56.405398Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-27T15:32:00.248Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "VikBooking Hotel Booking Engine \u0026 PMS",
"vendor": "e4jvikwp",
"versions": [
{
"lessThanOrEqual": "1.7.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Noah Stead"
}
],
"descriptions": [
{
"lang": "en",
"value": "The VikBooking Hotel Booking Engine \u0026 PMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.2. This is due to missing or incorrect nonce validation on the \u0027save\u0027 function. This makes it possible for unauthenticated attackers to change plugin access privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows attackers with subscriber-level privileges and above to upload arbitrary files on the affected site\u0027s server which may make remote code execution possible."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:59:45.110Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6eb6611d-7a4b-4ca8-b9cc-c156437e89b5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3225861/vikbooking"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-25T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-01-25T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "VikBooking Hotel Booking Engine \u0026 PMS \u003c= 1.7.2 - Cross-Site Request Forgery to Authenticated (Subscriber+) Arbitrary File Upload"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11641",
"datePublished": "2025-01-26T11:09:44.807Z",
"dateReserved": "2024-11-22T21:40:59.251Z",
"dateUpdated": "2026-04-08T16:59:45.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-32501 (GCVE-0-2023-32501)
Vulnerability from nvd – Published: 2023-11-09 22:18 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress VikBooking Hotel Booking Engine & PMS Plugin <= 1.6.1 is vulnerable to Cross Site Request Forgery (CSRF)
Summary
Cross-Site Request Forgery (CSRF) vulnerability in E4J s.R.L. VikBooking Hotel Booking Engine & PMS plugin <= 1.6.1 versions.
Severity
4.3 (Medium)
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/vik… | vdb-entry |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| E4J s.r.l. | VikBooking Hotel Booking Engine & PMS |
Affected:
n/a , ≤ 1.6.1
(custom)
|
|
| vikwp | vikbooking_hotel_booking_engine_\&_pms |
Affected:
0 , ≤ 1.6.1
(custom)
cpe:2.3:a:vikwp:vikbooking_hotel_booking_engine_\&_pms:*:*:*:*:*:wordpress:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:18:37.607Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/vikbooking/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-6-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vikwp:vikbooking_hotel_booking_engine_\\\u0026_pms:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "vikbooking_hotel_booking_engine_\\\u0026_pms",
"vendor": "vikwp",
"versions": [
{
"lessThanOrEqual": "1.6.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-32501",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T13:54:06.350958Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T13:56:24.386Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "vikbooking",
"product": "VikBooking Hotel Booking Engine \u0026 PMS",
"vendor": "E4J s.r.l.",
"versions": [
{
"changes": [
{
"at": "1.6.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.6.1",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Nguyen Xuan Chien (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in E4J s.R.L. VikBooking Hotel Booking Engine \u0026 PMS plugin \u003c=\u003cspan style=\"background-color: var(--wht);\"\u003e\u00a01.6.1 versions.\u003c/span\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in E4J s.R.L. VikBooking Hotel Booking Engine \u0026 PMS plugin \u003c=\u00a01.6.1 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:22.642Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/vikbooking/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-6-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u00a01.6.2 or a higher version."
}
],
"value": "Update to\u00a01.6.2 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress VikBooking Hotel Booking Engine \u0026 PMS Plugin \u003c= 1.6.1 is vulnerable to Cross Site Request Forgery (CSRF)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-32501",
"datePublished": "2023-11-09T22:18:56.850Z",
"dateReserved": "2023-05-09T07:39:38.342Z",
"dateUpdated": "2026-04-28T16:08:22.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-57723 (GCVE-0-2026-57723)
Vulnerability from cvelistv5 – Published: 2026-07-01 17:08 – Updated: 2026-07-01 17:57 X_Open Source
VLAI
Title
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.12 - CSRF to Arbitrary File Deletion vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS allows Path Traversal.
This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through 1.8.12.
Severity
7.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| e4jvikwp | VikBooking Hotel Booking Engine & PMS |
Affected:
n/a , ≤ 1.8.12
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-57723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T17:56:47.302399Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T17:57:59.550Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "vikbooking",
"product": "VikBooking Hotel Booking Engine \u0026 PMS",
"vendor": "e4jvikwp",
"versions": [
{
"changes": [
{
"at": "1.8.13",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.8.12",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "VDsec | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026amp; PMS allows Path Traversal.\u003cp\u003eThis issue affects VikBooking Hotel Booking Engine \u0026amp; PMS: from n/a through 1.8.12.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS allows Path Traversal.\n\nThis issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through 1.8.12."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T17:08:43.612Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-8-12-csrf-to-arbitrary-file-deletion-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress VikBooking Hotel Booking Engine \u0026 PMS Plugin to the latest available version (at least 1.8.13)."
}
],
"value": "Update the WordPress VikBooking Hotel Booking Engine \u0026 PMS Plugin to the latest available version (at least 1.8.13)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress VikBooking Hotel Booking Engine \u0026 PMS plugin \u003c= 1.8.12 - CSRF to Arbitrary File Deletion vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-57723",
"datePublished": "2026-07-01T17:08:43.612Z",
"dateReserved": "2026-06-25T08:04:13.263Z",
"dateUpdated": "2026-07-01T17:57:59.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12754 (GCVE-0-2026-12754)
Vulnerability from cvelistv5 – Published: 2026-07-01 08:30 – Updated: 2026-07-01 10:32
VLAI
Title
VikBooking Hotel Booking Engine & PMS <= 1.8.12 - Reflected Cross-Site Scripting via 'layoutstyle' Parameter
Summary
The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'layoutstyle' parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Exploitation requires the targeted page to render the [vikbooking view="roomslist"] shortcode, as the vulnerable layoutstyle parameter is only processed in that view context.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| e4jvikwp | VikBooking Hotel Booking Engine & PMS |
Affected:
0 , ≤ 1.8.12
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12754",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T10:25:19.577828Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T10:32:03.194Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "VikBooking Hotel Booking Engine \u0026 PMS",
"vendor": "e4jvikwp",
"versions": [
{
"lessThanOrEqual": "1.8.12",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The VikBooking Hotel Booking Engine \u0026 PMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027layoutstyle\u0027 parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Exploitation requires the targeted page to render the [vikbooking view=\"roomslist\"] shortcode, as the vulnerable layoutstyle parameter is only processed in that view context."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T08:30:05.314Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d126213-e342-4271-aca0-5cc47214ae8b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/vikbooking/tags/1.8.12/site/views/roomslist/tmpl/default.php#L46"
},
{
"url": "https://plugins.trac.wordpress.org/browser/vikbooking/tags/1.8.12/site/views/roomslist/tmpl/default.php#L26"
},
{
"url": "https://plugins.trac.wordpress.org/browser/vikbooking/tags/1.8.12/libraries/adapter/input/filter.php#L385"
},
{
"url": "https://plugins.trac.wordpress.org/browser/vikbooking/tags/1.8.13/site/views/roomslist/tmpl/default.php#L46"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-19T19:45:37.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-30T20:07:22.000Z",
"value": "Disclosed"
}
],
"title": "VikBooking Hotel Booking Engine \u0026 PMS \u003c= 1.8.12 - Reflected Cross-Site Scripting via \u0027layoutstyle\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12754",
"datePublished": "2026-07-01T08:30:05.314Z",
"dateReserved": "2026-06-19T19:29:52.724Z",
"dateUpdated": "2026-07-01T10:32:03.194Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42683 (GCVE-0-2026-42683)
Vulnerability from cvelistv5 – Published: 2026-06-01 14:44 – Updated: 2026-06-01 16:18 X_Open Source
VLAI
Title
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.8 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS allows DOM-Based XSS.
This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through 1.8.8.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| e4jvikwp | VikBooking Hotel Booking Engine & PMS |
Affected:
n/a , ≤ 1.8.8
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42683",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T16:14:43.019257Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:18:35.103Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "vikbooking",
"product": "VikBooking Hotel Booking Engine \u0026 PMS",
"vendor": "e4jvikwp",
"versions": [
{
"changes": [
{
"at": "1.8.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.8.8",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Evan NR | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026amp; PMS allows DOM-Based XSS.\u003cp\u003eThis issue affects VikBooking Hotel Booking Engine \u0026amp; PMS: from n/a through 1.8.8.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS allows DOM-Based XSS.\n\nThis issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through 1.8.8."
}
],
"impacts": [
{
"capecId": "CAPEC-588",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-588 DOM-Based XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T14:44:38.472Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-8-8-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress VikBooking Hotel Booking Engine \u0026 PMS Plugin to the latest available version (at least 1.8.9)."
}
],
"value": "Update the WordPress VikBooking Hotel Booking Engine \u0026 PMS Plugin to the latest available version (at least 1.8.9)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress VikBooking Hotel Booking Engine \u0026 PMS plugin \u003c= 1.8.8 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-42683",
"datePublished": "2026-06-01T14:44:38.472Z",
"dateReserved": "2026-04-29T09:04:56.882Z",
"dateUpdated": "2026-06-01T16:18:35.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42762 (GCVE-0-2026-42762)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:49 – Updated: 2026-05-27 10:47
VLAI
Title
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.9 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows DOM-Based XSS.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.9.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| e4jvikwp | VikBooking Hotel Booking Engine & PMS |
Affected:
0 , ≤ 1.8.9
(custom)
|
Date Public
2026-05-27 11:08
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42762",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T10:42:18.379695Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T10:47:29.773Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "vikbooking",
"product": "VikBooking Hotel Booking Engine \u0026 PMS",
"vendor": "e4jvikwp",
"versions": [
{
"changes": [
{
"at": "1.8.10",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.8.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "anhcd05 | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-05-27T11:08:54.381Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS vikbooking allows DOM-Based XSS.\u003cp\u003eThis issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through \u003c= 1.8.9.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS vikbooking allows DOM-Based XSS.This issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through \u003c= 1.8.9."
}
],
"impacts": [
{
"capecId": "CAPEC-588",
"descriptions": [
{
"lang": "en",
"value": "DOM-Based XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T09:49:06.084Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-8-9-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress VikBooking Hotel Booking Engine \u0026 PMS plugin \u003c= 1.8.9 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-42762",
"datePublished": "2026-05-27T09:49:06.084Z",
"dateReserved": "2026-04-29T09:05:44.122Z",
"dateUpdated": "2026-05-27T10:47:29.773Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42737 (GCVE-0-2026-42737)
Vulnerability from cvelistv5 – Published: 2026-05-27 09:49 – Updated: 2026-05-27 10:52
VLAI
Title
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.9 - Arbitrary File Deletion vulnerability
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Path Traversal.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.9.
Severity
8.6 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| e4jvikwp | VikBooking Hotel Booking Engine & PMS |
Affected:
0 , ≤ 1.8.9
(custom)
|
Date Public
2026-05-27 11:08
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42737",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T10:45:34.302524Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T10:52:10.500Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "vikbooking",
"product": "VikBooking Hotel Booking Engine \u0026 PMS",
"vendor": "e4jvikwp",
"versions": [
{
"changes": [
{
"at": "1.8.10",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.8.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "dodoh4t | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-05-27T11:08:52.565Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS vikbooking allows Path Traversal.\u003cp\u003eThis issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through \u003c= 1.8.9.\u003c/p\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS vikbooking allows Path Traversal.This issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through \u003c= 1.8.9."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T09:49:04.590Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-8-9-arbitrary-file-deletion-vulnerability?_s_id=cve"
}
],
"title": "WordPress VikBooking Hotel Booking Engine \u0026 PMS plugin \u003c= 1.8.9 - Arbitrary File Deletion vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-42737",
"datePublished": "2026-05-27T09:49:04.590Z",
"dateReserved": "2026-04-29T09:05:25.570Z",
"dateUpdated": "2026-05-27T10:52:10.500Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-49918 (GCVE-0-2025-49918)
Vulnerability from cvelistv5 – Published: 2025-12-18 07:21 – Updated: 2026-04-28 16:13
VLAI
Title
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.2 - Sensitive Data Exposure vulnerability
Summary
Insertion of Sensitive Information Into Sent Data vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Retrieve Embedded Sensitive Data.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.2.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| e4jvikwp | VikBooking Hotel Booking Engine & PMS |
Affected:
0 , ≤ 1.8.2
(custom)
|
Date Public
2026-04-22 14:23
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49918",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T19:34:17.819379Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T19:38:45.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "vikbooking",
"product": "VikBooking Hotel Booking Engine \u0026 PMS",
"vendor": "e4jvikwp",
"versions": [
{
"changes": [
{
"at": "1.8.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "daroo | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-22T14:23:38.230Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insertion of Sensitive Information Into Sent Data vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS vikbooking allows Retrieve Embedded Sensitive Data.\u003cp\u003eThis issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through \u003c= 1.8.2.\u003c/p\u003e"
}
],
"value": "Insertion of Sensitive Information Into Sent Data vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS vikbooking allows Retrieve Embedded Sensitive Data.This issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through \u003c= 1.8.2."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:13:07.897Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-8-2-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"title": "WordPress VikBooking Hotel Booking Engine \u0026 PMS plugin \u003c= 1.8.2 - Sensitive Data Exposure vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-49918",
"datePublished": "2025-12-18T07:21:44.067Z",
"dateReserved": "2025-06-11T16:06:59.982Z",
"dateUpdated": "2026-04-28T16:13:07.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5803 (GCVE-0-2025-5803)
Vulnerability from cvelistv5 – Published: 2025-11-06 15:54 – Updated: 2026-04-28 16:13
VLAI
Title
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.2 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.2.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| e4jvikwp | VikBooking Hotel Booking Engine & PMS |
Affected:
0 , ≤ 1.8.2
(custom)
|
Date Public
2026-04-22 14:24
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5803",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T18:43:03.079349Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T18:43:06.152Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "vikbooking",
"product": "VikBooking Hotel Booking Engine \u0026 PMS",
"vendor": "e4jvikwp",
"versions": [
{
"changes": [
{
"at": "1.8.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "daroo | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-22T14:24:56.313Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS vikbooking.\u003cp\u003eThis issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through \u003c= 1.8.2.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS vikbooking.This issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through \u003c= 1.8.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:13:40.872Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-8-2-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress VikBooking Hotel Booking Engine \u0026 PMS plugin \u003c= 1.8.2 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-5803",
"datePublished": "2025-11-06T15:54:18.609Z",
"dateReserved": "2025-06-06T10:04:42.368Z",
"dateUpdated": "2026-04-28T16:13:40.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22670 (GCVE-0-2025-22670)
Vulnerability from cvelistv5 – Published: 2025-03-27 14:14 – Updated: 2026-04-28 16:11
VLAI
Title
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.7.2 - CSRF to Settings Change vulnerability
Summary
Missing Authorization vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.7.2.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| e4jvikwp | VikBooking Hotel Booking Engine & PMS |
Affected:
0 , ≤ 1.7.2
(custom)
|
Date Public
2026-04-01 16:31
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22670",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T15:39:19.795521Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T15:39:25.404Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "vikbooking",
"product": "VikBooking Hotel Booking Engine \u0026 PMS",
"vendor": "e4jvikwp",
"versions": [
{
"changes": [
{
"at": "1.7.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.7.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dhabaleshwar Das | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:31:52.607Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS vikbooking allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through \u003c= 1.7.2.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in e4jvikwp VikBooking Hotel Booking Engine \u0026 PMS vikbooking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VikBooking Hotel Booking Engine \u0026 PMS: from n/a through \u003c= 1.7.2."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:04.215Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-7-2-csrf-to-settings-change-vulnerability?_s_id=cve"
}
],
"title": "WordPress VikBooking Hotel Booking Engine \u0026 PMS plugin \u003c= 1.7.2 - CSRF to Settings Change vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-22670",
"datePublished": "2025-03-27T14:14:49.403Z",
"dateReserved": "2025-01-07T21:02:59.478Z",
"dateUpdated": "2026-04-28T16:11:04.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11641 (GCVE-0-2024-11641)
Vulnerability from cvelistv5 – Published: 2025-01-26 11:09 – Updated: 2026-04-08 16:59
VLAI
Title
VikBooking Hotel Booking Engine & PMS <= 1.7.2 - Cross-Site Request Forgery to Authenticated (Subscriber+) Arbitrary File Upload
Summary
The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.2. This is due to missing or incorrect nonce validation on the 'save' function. This makes it possible for unauthenticated attackers to change plugin access privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows attackers with subscriber-level privileges and above to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| e4jvikwp | VikBooking Hotel Booking Engine & PMS |
Affected:
0 , ≤ 1.7.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11641",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T15:31:56.405398Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-27T15:32:00.248Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "VikBooking Hotel Booking Engine \u0026 PMS",
"vendor": "e4jvikwp",
"versions": [
{
"lessThanOrEqual": "1.7.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Noah Stead"
}
],
"descriptions": [
{
"lang": "en",
"value": "The VikBooking Hotel Booking Engine \u0026 PMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.2. This is due to missing or incorrect nonce validation on the \u0027save\u0027 function. This makes it possible for unauthenticated attackers to change plugin access privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows attackers with subscriber-level privileges and above to upload arbitrary files on the affected site\u0027s server which may make remote code execution possible."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:59:45.110Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6eb6611d-7a4b-4ca8-b9cc-c156437e89b5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3225861/vikbooking"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-25T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-01-25T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "VikBooking Hotel Booking Engine \u0026 PMS \u003c= 1.7.2 - Cross-Site Request Forgery to Authenticated (Subscriber+) Arbitrary File Upload"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11641",
"datePublished": "2025-01-26T11:09:44.807Z",
"dateReserved": "2024-11-22T21:40:59.251Z",
"dateUpdated": "2026-04-08T16:59:45.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-32501 (GCVE-0-2023-32501)
Vulnerability from cvelistv5 – Published: 2023-11-09 22:18 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress VikBooking Hotel Booking Engine & PMS Plugin <= 1.6.1 is vulnerable to Cross Site Request Forgery (CSRF)
Summary
Cross-Site Request Forgery (CSRF) vulnerability in E4J s.R.L. VikBooking Hotel Booking Engine & PMS plugin <= 1.6.1 versions.
Severity
4.3 (Medium)
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/vik… | vdb-entry |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| E4J s.r.l. | VikBooking Hotel Booking Engine & PMS |
Affected:
n/a , ≤ 1.6.1
(custom)
|
|
| vikwp | vikbooking_hotel_booking_engine_\&_pms |
Affected:
0 , ≤ 1.6.1
(custom)
cpe:2.3:a:vikwp:vikbooking_hotel_booking_engine_\&_pms:*:*:*:*:*:wordpress:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:18:37.607Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/vikbooking/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-6-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vikwp:vikbooking_hotel_booking_engine_\\\u0026_pms:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "vikbooking_hotel_booking_engine_\\\u0026_pms",
"vendor": "vikwp",
"versions": [
{
"lessThanOrEqual": "1.6.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-32501",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T13:54:06.350958Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T13:56:24.386Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "vikbooking",
"product": "VikBooking Hotel Booking Engine \u0026 PMS",
"vendor": "E4J s.r.l.",
"versions": [
{
"changes": [
{
"at": "1.6.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.6.1",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Nguyen Xuan Chien (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in E4J s.R.L. VikBooking Hotel Booking Engine \u0026 PMS plugin \u003c=\u003cspan style=\"background-color: var(--wht);\"\u003e\u00a01.6.1 versions.\u003c/span\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in E4J s.R.L. VikBooking Hotel Booking Engine \u0026 PMS plugin \u003c=\u00a01.6.1 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:22.642Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/vikbooking/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-6-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u00a01.6.2 or a higher version."
}
],
"value": "Update to\u00a01.6.2 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress VikBooking Hotel Booking Engine \u0026 PMS Plugin \u003c= 1.6.1 is vulnerable to Cross Site Request Forgery (CSRF)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-32501",
"datePublished": "2023-11-09T22:18:56.850Z",
"dateReserved": "2023-05-09T07:39:38.342Z",
"dateUpdated": "2026-04-28T16:08:22.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}