Vendor
A stored cross-site scripting vulnerability (CVE-2026-6818) exists in the VikBooking Hotel Booking Engine & PMS plugin for WordPress, affecting versions up to and including 1.8.8, caused by insufficient input sanitization of the 'special_requests' parameter, enabling unauthenticated attackers to inject arbitrary web scripts that execute whenever a user accesses an affected page, potentially leading to unauthorized data access, session hijacking, or defacement.