VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 26 known issues Latest disclosed Nov 07, 2025

VikBooking Hotel Booking Engine & PMS Vulnerabilities

Review known vulnerability records for the WordPress plugin VikBooking Hotel Booking Engine & PMS (`vikbooking`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-49918, CVE-2025-5803 and CVE-2024-13616, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
26
High or Critical
4
Patch Coverage
100%
Last Updated
Dec 19, 2025
Priority CVE Quick Links

Fast paths into VikBooking Hotel Booking Engine & PMS CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
26
CVE-2022-27862 Critical 1.5.4
CVE-2022-27862 VikBooking Hotel Booking Engine & PMS Arbitrary File Upload

VikBooking Hotel Booking Engine & PMS <= 1.5.3 - Arbitrary File Upload

CVE-2024-11641 High 1.7.3
CVE-2024-11641 VikBooking Hotel Booking Engine & PMS Remote Code Execution

VikBooking Hotel Booking Engine & PMS <= 1.7.2 - Cross-Site Request Forgery to Authenticated (Subscriber+) Arbitrary File Upload

CVE-2022-1407 High 1.5.8
CVE-2022-1407 VikBooking Hotel Booking Engine & PMS Stored Cross-Site Scripting

VikBooking Hotel Booking Engine & PMS <= 1.5.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting

CVE-2025-49918 High 1.8.3
CVE-2025-49918 VikBooking Hotel Booking Engine & PMS Sensitive Information Exposure

VikBooking Hotel Booking Engine & PMS <= 1.8.2 - Unauthenticated Information Exposure

CVE-2024-32563 Medium 1.6.8
CVE-2024-32563 VikBooking Hotel Booking Engine & PMS Cross-Site Scripting

VikBooking Hotel Booking Engine & PMS <= 1.6.7 - Reflected Cross-Site Scripting

CVE-2022-1528 Medium 1.5.9
CVE-2022-1528 VikBooking Hotel Booking Engine & PMS Cross-Site Scripting

VikBooking <= 1.5.8 - Reflected Cross-Site Scripting

CVE-2022-1409 Medium 1.5.9
CVE-2022-1409 VikBooking Hotel Booking Engine & PMS Arbitrary File Upload

VikBooking Hotel Booking Engine & PMS <= 1.5.8 - Arbitrary File Upload

CVE-2022-1408 Medium 1.5.8
CVE-2022-1408 VikBooking Hotel Booking Engine & PMS Stored Cross-Site Scripting

VikBooking Hotel Booking Engine & PMS <= 1.5.7 - Admin+ Stored Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for VikBooking Hotel Booking Engine & PMS so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
26 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
1 critical and 3 high severity findings.
Recent CVEs
CVE-2025-49918, CVE-2025-5803 and CVE-2024-13616
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for VikBooking Hotel Booking Engine & PMS

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2025-49918
CVE-2025-49918: VikBooking Hotel Booking Engine & PMS <= 1.8.2 - Unauthenticated Information Exposure

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.2. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

Published
Nov 07, 2025
Patched Release
1.8.3
Affected Versions
Versions up to 1.8.2
Next Step
Update to 1.8.3 or newer if supported.
Open CVE-2025-49918 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-5803
CVE-2025-5803: VikBooking Hotel Booking Engine & PMS <= 1.8.2 - Missing Authorization

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.8.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Published
Oct 21, 2025
Patched Release
1.8.3
Affected Versions
Versions up to 1.8.2
Next Step
Update to 1.8.3 or newer if supported.
Open CVE-2025-5803 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-13616
CVE-2024-13616: VikBooking Hotel Booking Engine & PMS <= 1.7.1 - Authenticated (Admin+) Stored Cross-Site Scripting

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attacker...

Published
Mar 03, 2025
Patched Release
1.7.2
Affected Versions
Versions up to 1.7.1
Next Step
Update to 1.7.2 or newer if supported.
Open CVE-2024-13616 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-22670
CVE-2025-22670: VikBooking Hotel Booking Engine & PMS <= 1.7.2 - Cross-Site Request Forgery to Settings Update

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update t...

Published
Feb 03, 2025
Patched Release
1.7.3
Affected Versions
Versions up to 1.7.2
Next Step
Update to 1.7.3 or newer if supported.
Open CVE-2025-22670 Report Open CVE Reference
Plugin High Patched: Yes CVE-2024-11641
CVE-2024-11641: VikBooking Hotel Booking Engine & PMS <= 1.7.2 - Cross-Site Request Forgery to Authenticated (Subscriber+) Arbitrary File Upload

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.2. This is due to missing or incorrect nonce validation on the 'save' function. This makes it possible for unauthenticated attacker...

Published
Jan 25, 2025
Patched Release
1.7.3
Affected Versions
Versions up to 1.7.2
Next Step
Update to 1.7.3 or newer if supported.
Open CVE-2024-11641 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-2441
CVE-2024-2441: VikBooking Hotel Booking Engine & PMS <= 1.6.7 - Insecure Direct Object Reference to Menu Access

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.7 via the option endpoint due to missing validation on the 'task' user controlled key. This makes it possible for authenticat...

Published
Apr 19, 2024
Patched Release
1.6.8
Affected Versions
Versions up to 1.6.7
Next Step
Update to 1.6.8 or newer if supported.
Open CVE-2024-2441 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-2749
CVE-2024-2749: VikBooking Hotel Booking Engine & PMS <= 1.6.7 - Missing Authorization

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to unauthorized access due to insufficient capability checking in all versions up to, and including, 1.6.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

Published
Apr 19, 2024
Patched Release
1.6.8
Affected Versions
Versions up to 1.6.7
Next Step
Update to 1.6.8 or newer if supported.
Open CVE-2024-2749 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-32563
CVE-2024-32563: VikBooking Hotel Booking Engine & PMS <= 1.6.7 - Reflected Cross-Site Scripting

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.6.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject ar...

Published
Apr 16, 2024
Patched Release
1.6.8
Affected Versions
Versions up to 1.6.7
Next Step
Update to 1.6.8 or newer if supported.
Open CVE-2024-32563 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-25707
CVE-2023-25707: VikBooking Hotel Booking Engine & PMS <= 1.5.12 - Cross-Site Request Forgery in savetranslationstay function

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.12. This is due to missing or incorrect nonce validation on the savetranslationstay function. This makes it possible for unauthenticate...

Published
Feb 15, 2023
Patched Release
1.6.0
Affected Versions
Versions up to 1.5.12
Next Step
Update to 1.6.0 or newer if supported.
Open CVE-2023-25707 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-25707
CVE-2023-25707: VikBooking Hotel Booking Engine & PMS <= 1.5.12 - Cross-Site Request Forgery in admin_widgets_welcome function

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.12. This is due to missing or incorrect nonce validation on the admin_widgets_welcome function. This makes it possible for unauthentica...

Published
Feb 15, 2023
Patched Release
1.6.0
Affected Versions
Versions up to 1.5.12
Next Step
Update to 1.6.0 or newer if supported.
Open CVE-2023-25707 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-25707
CVE-2023-25707: VikBooking Hotel Booking Engine & PMS <= 1.5.12 - Cross-Site Request Forgery in savetmplfile function

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.12. This is due to missing or incorrect nonce validation on the savetmplfile function. This makes it possible for unauthenticated attac...

Published
Feb 15, 2023
Patched Release
1.6.0
Affected Versions
Versions up to 1.5.12
Next Step
Update to 1.6.0 or newer if supported.
Open CVE-2023-25707 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-25707
CVE-2023-25707: VikBooking Hotel Booking Engine & PMS <= 1.5.12 - Cross-Site Request Forgery in widgets_watch_data function

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.12. This is due to missing or incorrect nonce validation on the widgets_watch_data function. This makes it possible for unauthenticated...

Published
Feb 15, 2023
Patched Release
1.6.0
Affected Versions
Versions up to 1.5.12
Next Step
Update to 1.6.0 or newer if supported.
Open CVE-2023-25707 Report Open CVE Reference