CVE-2026-6818 in VikBooking Plugin
Summary
by MITRE • 07/08/2026
The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'special_requests' parameter in all versions up to, and including, 1.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/08/2026
The VikBooking Hotel Booking Engine & PMS plugin for WordPress represents a critical security vulnerability through its susceptibility to stored cross-site scripting attacks targeting the special_requests parameter. This flaw affects all versions up to and including 1.8.8, creating a persistent threat vector that allows unauthenticated attackers to inject malicious web scripts into the plugin's data handling mechanisms. The vulnerability stems from inadequate input sanitization processes and insufficient output escaping measures that fail to properly validate or sanitize user-supplied data before it is stored in the database and subsequently rendered on web pages.
The technical implementation of this vulnerability demonstrates a classic stored XSS flaw where attacker-controlled input flows through the special_requests parameter without proper sanitization, enabling malicious script execution within the context of affected user sessions. When legitimate users access pages containing the injected scripts, these malicious payloads execute automatically, potentially leading to session hijacking, credential theft, or further exploitation of the compromised systems. The vulnerability operates at the intersection of input validation and output encoding failures, creating a scenario where user-provided content bypasses security controls that should prevent malicious code from being persisted in the system's database.
From an operational perspective, this vulnerability presents significant risk to hotel booking systems and their users, as it allows attackers to compromise any user who views pages containing the injected scripts. The impact extends beyond simple script execution to potentially enable full session takeover attacks, data exfiltration, and exploitation of the underlying WordPress platform. Attackers can leverage this vulnerability to target administrators or other privileged users who may access booking records containing the malicious payloads, potentially leading to complete system compromise.
Organizations should implement immediate mitigations including input validation and output escaping controls that sanitize all user-supplied data before storage and properly encode output for safe rendering. The vulnerability aligns with CWE-79 which addresses cross-site scripting flaws in web applications, and corresponds to ATT&CK technique T1566 related to phishing campaigns that exploit web application vulnerabilities. Additionally, the issue demonstrates characteristics of persistent threat vectors common in content management systems where user input is not adequately filtered before database persistence. Immediate patching to versions beyond 1.8.8 is essential, while implementing proper security headers and content security policies can provide additional defense-in-depth measures against exploitation attempts.