How is CVE-2026-42683 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker can deliver a malicious payload from any internet-accessible origin without needing local or adjacent access. Authentication (not-required): No account or credentials are needed to craft and deliver the malicious payload to a target. Victim interaction (required): A victim must take an action such as clicking a crafted link or visiting an attacker-controlled page that triggers the DOM-based XSS payload in their browser. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-42683?

Reads the victim's active session cookies, enabling account hijacking if the cookies are not marked HttpOnly. Injects and executes arbitrary JavaScript in the victim's browser session, allowing manipulation of booking forms or displayed reservation data. Modifies visible page content in the victim's browser, enabling phishing or credential-harvesting overlays targeting hotel guests or administrators. Degrades the victim's browser session by injecting scripts that consume resources or redirect the user away from the legitimate site.

Back to search

HIGHCVE-2026-42683Published 2026-06-01Modified 2026-06-01CNA Patchstack

CVE-2026-42683: WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.8 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-42683?

A DOM-based cross-site scripting (XSS) vulnerability exists in the VikBooking Hotel Booking Engine and PMS WordPress plugin at version 1.8.8 and earlier. The flaw is reachable over the network without any authentication, but requires a victim to interact with a crafted link or page, derived from the CVSS vector (AV:N, PR:N, UI:R). Successful exploitation allows an attacker to run arbitrary JavaScript in the victim's browser, enabling session theft, page content manipulation, and limited availability disruption. No fix version has been published yet; HarborGuard tracks the advisory and will surface a patched rebuild the moment upstream ships one.

Q: Is CVE-2026-42683 patched?

Because no fix version has been published, HarborGuard re-checks the upstream advisory and Patchstack feed on every ingest cycle. A patched-image rebuild will become available automatically the moment the vendor ships a remediated release, with no manual configuration required.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS allows DOM-Based XSS. This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through 1.8.8.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A DOM-based cross-site scripting (XSS) vulnerability exists in the VikBooking Hotel Booking Engine and PMS WordPress plugin at version 1.8.8 and earlier. The flaw is reachable over the network without any authentication, but requires a victim to interact with a crafted link or page, derived from the CVSS vector (AV:N, PR:N, UI:R). Successful exploitation allows an attacker to run arbitrary JavaScript in the victim's browser, enabling session theft, page content manipulation, and limited availability disruption. No fix version has been published yet; HarborGuard tracks the advisory and will surface a patched rebuild the moment upstream ships one.

HarborGuard Coverage

Detection

Detection for CVE-2026-42683 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against all customer images, including custom-built WordPress images incorporating this plugin. Any image containing VikBooking Hotel Booking Engine and PMS at version 1.8.8 or earlier is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 7.1 HIGH using the CVSS v3.1 vector and weights the finding against each customer environment's compliance policy to determine urgency and routing. Triage alerts are directed to the appropriate team inbox within the customer org based on configured policy rules.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the upstream advisory and Patchstack feed on every ingest cycle. A patched-image rebuild will become available automatically the moment the vendor ships a remediated release, with no manual configuration required.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker can deliver a malicious payload from any internet-accessible origin without needing local or adjacent access.
AuthenticationNot required
No account or credentials are needed to craft and deliver the malicious payload to a target.
Victim interactionRequired
A victim must take an action such as clicking a crafted link or visiting an attacker-controlled page that triggers the DOM-based XSS payload in their browser.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

Reads the victim's active session cookies, enabling account hijacking if the cookies are not marked HttpOnly.
Injects and executes arbitrary JavaScript in the victim's browser session, allowing manipulation of booking forms or displayed reservation data.
Modifies visible page content in the victim's browser, enabling phishing or credential-harvesting overlays targeting hotel guests or administrators.
Degrades the victim's browser session by injecting scripts that consume resources or redirect the user away from the legitimate site.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored against all customer images containing the VikBooking Hotel Booking Engine and PMS plugin at version 1.8.8 or earlier. Because no upstream fix exists yet, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically as soon as a remediated version is published. In the interim, customers can apply compensating controls through HarborGuard's policy engine: network-policy rules that restrict untrusted input paths to the affected plugin, egress filtering to limit exfiltration surface if XSS fires, and feature-flag gating to disable the vulnerable plugin endpoint where operationally feasible. For customers with auto-remediation enabled, the moment a fix version appears, HarborGuard will trigger a rebuild, run regression tests, and open a pull request against affected workloads without requiring manual intervention.

See how HarborGuard automates this

Affected packages

e4jvikwp / VikBooking Hotel Booking Engine & PMS
≤ 1.8.8

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified