{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/vikbooking-hotel-booking-engine--pms-plugin--1.8.9/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-6818"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["VikBooking Hotel Booking Engine \u0026 PMS plugin \u003c 1.8.9"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","xss","web-vulnerability","cms"],"_cs_type":"advisory","_cs_vendors":["e4jvikwp","WordPress"],"content_html":"\u003cp\u003eCVE-2026-6818 details a critical stored cross-site scripting (XSS) vulnerability impacting the VikBooking Hotel Booking Engine \u0026amp; PMS plugin for WordPress, specifically affecting all versions up to and including 1.8.8. This flaw stems from inadequate input sanitization and output escaping of the 'special_requests' parameter, allowing unauthenticated attackers to embed malicious JavaScript code. When a user, such as an administrator or another customer, views a page containing the specially crafted 'special_requests' data, the injected script executes within their browser context. The consequences of such an attack can include session hijacking, unauthorized data exfiltration, malicious redirection, or website defacement. This vulnerability highlights the importance of rigorous input validation and output encoding in web applications, especially in popular content management systems like WordPress.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site running the vulnerable VikBooking Hotel Booking Engine \u0026amp; PMS plugin (versions \u0026lt;= 1.8.8).\u003c/li\u003e\n\u003cli\u003eThe attacker accesses a customer-facing booking form or a similar endpoint where the 'special_requests' parameter is accepted.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious cross-site scripting (XSS) payload (e.g., \u003ccode\u003e\u0026lt;script\u0026gt;alert('XSS');\u0026lt;/script\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;img src=x onerror=alert(document.domain)\u0026gt;\u003c/code\u003e) and submits it within the 'special_requests' field during a booking or request submission.\u003c/li\u003e\n\u003cli\u003eThe VikBooking plugin, due to insufficient input sanitization, stores this malicious payload directly into the WordPress database.\u003c/li\u003e\n\u003cli\u003eA legitimate user (e.g., a site administrator or another customer) navigates to a page within the WordPress dashboard or the public site where the stored 'special_requests' content is displayed (e.g., booking details, order management).\u003c/li\u003e\n\u003cli\u003eThe web server retrieves the stored malicious payload from the database and renders it in the legitimate user's browser without proper output escaping.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript executes in the context of the user's browser session, allowing the attacker to steal session cookies, deface the page, redirect the user, or perform other malicious actions, achieving unauthorized data access or session hijacking.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6818 allows unauthenticated attackers to inject persistent malicious scripts into vulnerable WordPress sites. When executed in a legitimate user's browser, these scripts can lead to various severe consequences, including session hijacking, enabling the attacker to impersonate the user and access sensitive information. Attackers could also redirect users to phishing sites, perform unauthorized actions on behalf of the victim, or deface the website's content, damaging the organization's reputation and trust. The wide adoption of WordPress plugins means a significant number of websites could be at risk if not promptly patched.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the VikBooking Hotel Booking Engine \u0026amp; PMS plugin to version 1.8.9 or higher to remediate CVE-2026-6818.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect attempts to inject XSS payloads into web requests.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive webserver logging (e.g., Apache access logs, Nginx access logs, IIS logs) to capture full HTTP request bodies and query parameters.\u003c/li\u003e\n\u003cli\u003eRegularly review web application logs for unusual HTTP requests, especially those containing common XSS vectors or suspicious characters within user-supplied input fields.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T12:20:17Z","date_published":"2026-07-08T12:20:17Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-6818-vikbooking-xss/","summary":"A stored cross-site scripting vulnerability (CVE-2026-6818) exists in the VikBooking Hotel Booking Engine \u0026 PMS plugin for WordPress, affecting versions up to and including 1.8.8, caused by insufficient input sanitization of the 'special_requests' parameter, enabling unauthenticated attackers to inject arbitrary web scripts that execute whenever a user accesses an affected page, potentially leading to unauthorized data access, session hijacking, or defacement.","title":"CVE-2026-6818: VikBooking WordPress Plugin Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-6818-vikbooking-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - VikBooking Hotel Booking Engine \u0026 PMS Plugin \u003c 1.8.9","version":"https://jsonfeed.org/version/1.1"}