CVE-2024-13616: 
WordPress vulnerability analysis and mitigation

The VikBooking Hotel Booking Engine & PMS WordPress plugin before version 1.7.2 contains a stored Cross-Site Scripting (XSS) vulnerability that affects the plugin's settings functionality. The vulnerability was discovered in late 2024 and was assigned CVE-2024-13616 (MITRE CVE).

The vulnerability stems from improper sanitization and escaping of certain settings within the plugin. This security flaw specifically affects the plugin's settings functionality, where high-privilege users can perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed, which is particularly concerning in multisite WordPress setups. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (WPScan, NIST NVD).

The vulnerability enables high-privilege users to inject and store malicious scripts in the plugin settings. These scripts can then be executed when other users access the affected areas, potentially leading to unauthorized actions being performed in the context of the victim's browser session (Wiz).

The vulnerability has been patched in version 1.7.2 of the VikBooking plugin. Users are strongly advised to update to this version or later to mitigate the risk (WPScan).