VikBooking Hotel Booking Engine & PMS < 1.6.8 – Reflected Cross-Site Scripting | CVE 2024-32563 | Plugin Vulnerabilities

Description

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.6.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Plugins

Fixed in 1.6.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/364c8488-dab2-46bd-84b6-adfa59e2b013

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Majed Refaea

Verified

No

WPVDB ID

1b05264e-b071-4d26-8ed8-43689eb01ca1

Timeline

Publicly Published

2024-04-16 (about 26 days ago)

Added

2024-04-25 (about 16 days ago)

Last Updated

2024-04-25 (about 16 days ago)

Other

Published

Title

Published

2014-08-01

Title

WordPress 3.6 - _wp_http_referer Parameter Cross-Site Scripting (XSS)

Published

2021-12-06

Title

WooCommerce PDF Invoices & Packing Slips < 2.10.5 - Reflected Cross-Site Scripting

Published

2022-12-19

Title

WP Recipe Maker < 8.6.1 - Contributor+ Stored XSS

Published

2022-10-30

Title

Soledad < 8.2.6 - Subscriber+ Cross-Site Scripting

Published

2023-09-04

Title

wpShopGermany – Protected Shops < 2.1 - Admin+ Stored XSS