CVE-2022-1407

Name of the Vulnerable Software and Affected Versions VikBooking Hotel Booking Engine & PMS WordPress plugin versions prior to 1.5.8

Description The issue allows attackers to make a logged-in admin add a tracking campaign with XSS payloads via a CSRF attack, as there is no CSRF check in place when adding a tracking campaign, and the campaign fields are not escaped when outputting them in attributes.

Recommendations For versions prior to 1.5.8, update to version 1.5.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the tracking campaign feature to minimize the risk of exploitation.