CVE-2024-13616 is a medium severity vulnerability classified as CWE-79 (Cross-Site Scripting, XSS) affecting the VikBooking Hotel Booking Engine & PMS WordPress plugin versions prior to 1.7.2. The vulnerability arises because the plugin fails to properly sanitize and escape certain settings inputs. This flaw allows users with high privileges, such as administrators, to inject and store malicious scripts within the plugin's settings. Notably, this vulnerability can be exploited even when the WordPress unfiltered_html capability is disabled, such as in multisite environments, which normally restricts the ability to post unfiltered HTML. The attack vector requires the attacker to have high privileges (admin level) and some user interaction to trigger the stored XSS payload. The vulnerability impacts confidentiality and integrity by enabling script injection that could lead to session hijacking, privilege escalation, or unauthorized actions performed in the context of the admin user. The CVSS v3.1 base score is 4.8 (medium), reflecting network attack vector, low attack complexity, high privileges required, user interaction required, and partial impact on confidentiality and integrity but no impact on availability. There are no known exploits in the wild at this time, and no official patches or updates have been linked yet. The vulnerability affects a niche WordPress plugin used primarily for hotel booking and property management systems, which may be deployed by hospitality businesses. The stored XSS could be leveraged by malicious insiders or compromised admin accounts to escalate attacks within the WordPress environment or pivot to other systems.

For European organizations, especially those in the hospitality sector using WordPress with the VikBooking plugin, this vulnerability poses a risk of internal compromise and data leakage. Exploitation could allow attackers to execute arbitrary scripts in the context of admin users, potentially leading to theft of sensitive booking data, customer personal information, or manipulation of booking records. This could result in reputational damage, regulatory non-compliance (e.g., GDPR violations due to data exposure), and operational disruptions. Since the vulnerability requires admin privileges, the main risk vector is insider threats or compromised admin accounts. However, once exploited, attackers could also use the XSS to deploy further attacks such as phishing or malware distribution within the organization’s network. The impact on availability is minimal, but the integrity and confidentiality of data are at risk. European hospitality businesses that rely on this plugin for online booking and property management could face targeted attacks aiming to disrupt services or steal customer data.

Organizations should immediately audit their WordPress installations to identify the use of the VikBooking Hotel Booking Engine & PMS plugin. If present, verify the plugin version and upgrade to version 1.7.2 or later once available, as this version addresses the sanitization and escaping issues. Until a patch is released, restrict admin access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of compromised admin accounts. Additionally, implement Content Security Policy (CSP) headers to limit the impact of potential XSS payloads. Regularly monitor logs for suspicious admin activity and conduct security awareness training focused on phishing and social engineering to prevent credential compromise. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block suspicious input patterns related to the plugin’s settings. Finally, perform regular vulnerability scanning and penetration testing to identify any exploitation attempts.