Product
An unauthenticated Stored Cross-Site Scripting vulnerability (CVE-2026-6820) in the VikBooking Hotel Booking Engine & PMS plugin for WordPress versions up to 1.8.8 allows attackers to inject malicious web scripts via the 'email' parameter, leading to client-side code execution in victims' browsers.