CVE-2025-5803

Vulnerability

Description The VikBooking Hotel Booking Engine & PMS plugin for WordPress suffers from a broken access control vulnerability due to missing authorization checks. This issue affects versions from n/a through 1.8.2, allowing unauthorized access to certain functions that should require higher privileges [1].

Exploitation

Attackers can exploit this vulnerability by sending specially crafted requests to the plugin's endpoints without requiring authentication or with minimal privileges. The vulnerability is classified as low severity and is considered unlikely to be exploited in mass campaigns, though similar issues have been used in automated attacks [1].

Impact

Successful exploitation could allow an unauthenticated or low-privileged attacker to perform actions intended for higher-privileged users, such as modifying hotel booking settings or accessing sensitive information. The CVSS score of 5.3 reflects the moderate impact on confidentiality and integrity [1].

Mitigation

The vulnerability has been patched in version 1.8.3. Users are strongly advised to update to the latest version immediately. For those unable to update, temporary measures such as restricting access to the plugin via web application firewall rules may be considered [1].