WordPress VikBooking Hotel Booking Engine & PMS Plugin <= 1.5.12 is vulnerable to Cross Site Request Forgery (CSRF)
This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account.
Update the WordPress VikBooking Hotel Booking Engine & PMS plugin to the latest available version (at least 1.6.0).
- 04 February 2023: Reported to Patchstack
- 06 February 2023: Vulnerability validated
- 15 February 2023: Vulnerability fixed
- 15 February 2023: Vulnerability disclosed