PT-2026-54622 · WordPress · Vikbooking Hotel Booking Engine & Pms

Prism

·

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-12754

CVSS v3.1

6.1

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions VikBooking Hotel Booking Engine & PMS plugin for WordPress versions prior to 1.8.13
Description Insufficient input sanitization and output escaping allow unauthenticated attackers to perform Reflected Cross-Site Scripting. This occurs when the layoutstyle parameter is processed within the context of the [vikbooking view="roomslist"] shortcode, enabling the injection of arbitrary web scripts that execute if a user is tricked into clicking a malicious link.
Recommendations Update the plugin to version 1.8.13 or later. As a temporary mitigation, restrict the use of the [vikbooking view="roomslist"] shortcode on public pages.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-12754

Affected Products

Vikbooking Hotel Booking Engine & Pms