CVE-2022-1528: 
WordPress vulnerability analysis and mitigation

The VikBooking Hotel Booking Engine & PMS WordPress plugin before version 1.5.9 contains a Reflected Cross-Site Scripting vulnerability identified as CVE-2022-1528. The vulnerability was discovered by Bruno Halltari and publicly disclosed on May 3, 2022. The issue affects the WordPress plugin vikbooking and stems from the plugin's failure to properly escape the current URL before placing it in a JavaScript context (WPScan).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue with a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is tracked as CWE-79 (Improper Neutralization of Input During Web Page Generation). The issue can be exploited through specially crafted URLs, such as by appending malicious JavaScript payloads to wp-admin URLs (WPScan).

If exploited, this vulnerability could allow attackers to execute arbitrary JavaScript code in the context of other users' browsers who visit the specially crafted URLs. This could potentially lead to theft of sensitive information, session hijacking, or other client-side attacks (WPScan).

The vulnerability has been fixed in VikBooking version 1.5.9. Users are advised to update to this version or later to mitigate the security risk (WPScan).