Gabriel3476

**Name of the Vulnerable Software and Affected Versions** VikBooking Hotel Booking Engine & PMS WordPress plugin versions prior to 1.5.8 **Description** The issue allows attackers to make a logged-in admin add a tracking campaign with XSS payloads via a CSRF attack, as there is no CSRF check in place when adding a tracking campaign, and the campaign fields are not escaped when outputting them in attributes. **Recommendations** For versions prior to 1.5.8, update to version 1.5.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the tracking campaign feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** VikBooking Hotel Booking Engine & PMS WordPress plugin versions prior to 1.5.8 **Description** The issue allows high privilege users, such as admins, to perform Cross-Site Scripting attacks. This is possible because the plugin does not properly escape various settings before outputting them in attributes, even when unfiltered html is disallowed. **Recommendations** For versions prior to 1.5.8, update to version 1.5.8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** VikBooking Hotel Booking Engine & PMS WordPress plugin versions prior to 1.5.8 **Description** The issue allows high privilege users, such as administrators, to upload PHP files disguised as images, which can contain malicious PHP code, due to improper image validation. **Recommendations** For versions prior to 1.5.8, update to version 1.5.8 or later to resolve the issue. As a temporary workaround, consider restricting image upload capabilities to trusted users until the update is applied.