Exploit for VikBooking Hotel Booking Engine & PMS < 1.5.8 - Admin+ Stored Cross-Site Scripting CVE-2022-1408

Name: Exploit for VikBooking Hotel Booking Engine & PMS < 1.5.8 - Admin+ Stored Cross-Site Scripting CVE-2022-1408
Rating: 5 (148 reviews)

2022-04-21 | CVSS 3.5

## https://sploitus.com/exploit?id=WPEX-ID:48DCCF4C-07E0-4877-867D-F8F43AEB5705
v < 1.5.7

Add/edit a custom field (/wp-admin/admin.php?option=com_vikbooking&task=customf) and put the following payload in the Field Name or Popup Link fields: "autofocus/onfocus=alert(/XSS/)//

The XSS will be triggered when editing the Custom Field again

v < 1.5.8
Add the following payload in the Admin Email settings (at /wp-admin/admin.php?option=com_vikbooking&task=config): "autofocus/onfocus=alert(/XSS/)//

Other settings were also affected