CVE-2025-49918 MEDIUM

CVE-2025-49918: WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.2 - Sensitive Data Exposure vulnerability

Vendor E4Jvikwp
Product VikBooking Hotel Booking Engine & PMS
Weakness CWE-201
Published December 18, 2025
Last update April 28, 2026

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Insertion of Sensitive Information Into Sent Data vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Retrieve Embedded Sensitive Data.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.2.

Explanation of Vulnerability in Simple Terms

02Summary

VikBooking Hotel Booking Engine & PMS versions 1.8.2 and earlier contain an information disclosure vulnerability. An attacker on the network can retrieve sensitive data without authentication, though the attack requires specific conditions to succeed. The vulnerability does not allow modification or deletion of data, only unauthorized access to confidential information.

What an attacker can do

03Attacker Capabilities

Read sensitive information from the booking system without logging in.

Potential impact on your site

04Site Impact

Guest booking data, payment details, or other confidential information may be exposed to unauthorized parties.

Conditions required to exploit

05Prerequisites

Network access to the VikBooking installation; specific attack conditions must be met (high complexity).

Key dates

06Disclosure timeline

December 18, 2025 CVE published
April 28, 2026 Record updated