WordPress Plugin Vulnerabilities

VikBooking Hotel Booking Engine & PMS < 1.8.3 - Unauthenticated Information Exposure

Description

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.2. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

Affects Plugins

Plugin icon
vikbooking
Fixed in 1.8.3

References

CVE
CVE-2025-49918
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/692fe371-a22c-4144-a17f-bde1c1850bfa

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
7.5 (high)

Miscellaneous

Original Researcher
daroo
Verified
No
WPVDB ID
8d322c33-9b86-4f9d-899f-711c3c9d7abf

Timeline

Publicly Published
2025-11-07 (about 6 months ago)
Added
2025-12-19 (about 4 months ago)
Last Updated
2025-12-19 (about 4 months ago)

Other

Published
Title
Published
2025-11-20
Title
LearnPress – WordPress LMS Plugin < 4.3.0 - Missing Authorization to Unauthenticated Arbitrary Callback Execution to Information Exposure
Published
2025-03-04
Title
Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More < 2.6.0 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Published
2025-09-25
Title
Email marketing for WordPress by GetResponse Official < 1.5.4 - Authenticated (Subscriber+) Information Exposure
Published
2024-08-08
Title
Reveal Template <= 3.7 - Unauthenticated Full Path Disclosure
Published
2026-02-26
Title
RepairBuddy < 4.1133 - Unauthenticated Information Exposure