WP-Safety

VikBooking Hotel Booking Engine & PMS Security & Risk Analysis

wordpress.org/plugins/vikbooking

Famous Booking Engine, PMS and Hotel Reservations plugin for property managers. The best solution for accommodations to drive more direct bookings.

9K active installs v1.8.7 PHP 7.4.0+ WP 4.7+ Updated Feb 11, 2026
booking-enginechannel-managerhotelhotel-bookingreservations
82
B · Generally Safe
CVEs total17
Unpatched0
Last CVENov 7, 2025
Plugin page Download
Safety Verdict

Is VikBooking Hotel Booking Engine & PMS Safe to Use in 2026?

Mostly Safe

Score 82/100

VikBooking Hotel Booking Engine & PMS is generally safe to use. 17 past CVEs were resolved. Keep it updated.

17 known CVEsLast CVE: Nov 7, 2025Updated 1mo ago
Risk Assessment

The static analysis of Vikbooking v1.8.7 reveals several significant security concerns that contribute to a moderately high risk profile. The presence of two AJAX handlers without authentication checks presents a direct and easily exploitable attack vector. While the total number of entry points is low, the unprotected ones are particularly concerning. The significant number of file operations (151) coupled with a very low percentage of properly escaped output (6%) strongly suggests a high likelihood of Cross-Site Scripting (XSS) vulnerabilities. The extensive use of `unserialize` (5 instances) is a known risk, especially if the serialized data can be influenced by user input, potentially leading to code execution. The lack of nonce checks and capability checks on any entry points further exacerbates these risks, allowing unauthorized actions. The plugin's vulnerability history is a major red flag, with 17 known CVEs, including a past critical vulnerability and several high-severity ones. The common types of past vulnerabilities, such as Missing Authorization and XSS, align with the weaknesses identified in the static analysis, indicating a pattern of recurring security flaws. The plugin does exhibit some good practices, such as a high percentage of SQL queries using prepared statements and the inclusion of common bundled libraries, but these are overshadowed by the critical lack of fundamental security checks and the plugin's history of severe vulnerabilities. Overall, this version of Vikbooking should be treated with extreme caution and is not recommended for use without immediate patching and further security audits.

Key Concerns

  • AJAX handlers without authentication checks
  • Lack of nonce checks
  • Lack of capability checks
  • Low percentage of properly escaped output
  • Use of dangerous function: unserialize
  • Bundled outdated library: TCPDF v1.0.004
  • History of 1 critical CVE
  • History of 3 high CVEs
Vulnerabilities
17

VikBooking Hotel Booking Engine & PMS Security Vulnerabilities

CVEs by Year

6 CVEs in 2022
2022
3 CVEs in 2023
2023
3 CVEs in 2024
2024
5 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
High
3
Medium
13

17 total CVEs

CVE-2025-49918high · 7.5Exposure of Sensitive Information to an Unauthorized Actor

VikBooking Hotel Booking Engine & PMS <= 1.8.2 - Unauthenticated Information Exposure

Nov 7, 2025 Patched in 1.8.3 (43d)
CVE-2025-5803medium · 5.3Missing Authorization

VikBooking Hotel Booking Engine & PMS <= 1.8.2 - Missing Authorization

Oct 21, 2025 Patched in 1.8.3 (9d)
CVE-2024-13616medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

VikBooking Hotel Booking Engine & PMS <= 1.7.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Mar 3, 2025 Patched in 1.7.2 (88d)
CVE-2025-22670medium · 4.3Cross-Site Request Forgery (CSRF)

VikBooking Hotel Booking Engine & PMS <= 1.7.2 - Cross-Site Request Forgery to Settings Update

Feb 3, 2025 Patched in 1.7.3 (10d)
CVE-2024-11641high · 8.8Cross-Site Request Forgery (CSRF)

VikBooking Hotel Booking Engine & PMS <= 1.7.2 - Cross-Site Request Forgery to Authenticated (Subscriber+) Arbitrary File Upload

Jan 25, 2025 Patched in 1.7.3 (1d)
CVE-2024-2441medium · 4.3Authorization Bypass Through User-Controlled Key

VikBooking Hotel Booking Engine & PMS <= 1.6.7 - Insecure Direct Object Reference to Menu Access

Apr 19, 2024 Patched in 1.6.8 (28d)
CVE-2024-2749medium · 5.4Missing Authorization

VikBooking Hotel Booking Engine & PMS <= 1.6.7 - Missing Authorization

Apr 19, 2024 Patched in 1.6.8 (28d)
CVE-2024-32563medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

VikBooking Hotel Booking Engine & PMS <= 1.6.7 - Reflected Cross-Site Scripting

Apr 16, 2024 Patched in 1.6.8 (10d)
CVE-2023-32501medium · 4.3Cross-Site Request Forgery (CSRF)

VikBooking Hotel Booking Engine & PMS <= 1.6.1 - Cross-Site Request Forgery in listenTosFieldSavingTask function

Feb 15, 2023 Patched in 1.6.2 (342d)
CVE-2023-25707medium · 5.3Cross-Site Request Forgery (CSRF)

VikBooking Hotel Booking Engine & PMS <= 1.5.12 - Cross-Site Request Forgery in save_admin_widgets function

Feb 15, 2023 Patched in 1.6.0 (342d)
CVE-2023-24396medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

VikBooking Hotel Booking Engine & PMS <= 1.5.11 - Authenticated (Admin+) Stored Cross-Site Scripting

Jan 27, 2023 Patched in 1.5.12 (361d)
CVE-2022-1528medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

VikBooking <= 1.5.8 - Reflected Cross-Site Scripting

May 3, 2022 Patched in 1.5.9 (630d)
CVE-2022-1407high · 8.8Cross-Site Request Forgery (CSRF)

VikBooking Hotel Booking Engine & PMS <= 1.5.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Apr 21, 2022 Patched in 1.5.8 (642d)
CVE-2022-1409medium · 5.5Unrestricted Upload of File with Dangerous Type

VikBooking Hotel Booking Engine & PMS <= 1.5.8 - Arbitrary File Upload

Apr 21, 2022 Patched in 1.5.9 (642d)
CVE-2022-1408medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

VikBooking Hotel Booking Engine & PMS <= 1.5.7 - Admin+ Stored Cross-Site Scripting

Apr 21, 2022 Patched in 1.5.8 (642d)
CVE-2022-27862critical · 9.8Unrestricted Upload of File with Dangerous Type

VikBooking Hotel Booking Engine & PMS <= 1.5.3 - Arbitrary File Upload

Apr 18, 2022 Patched in 1.5.4 (644d)
CVE-2022-27863medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

VikBooking Hotel Booking Engine & PMS <= 1.5.3 - Sensitive Information Exposure

Apr 18, 2022 Patched in 1.5.4 (644d)
Code Analysis
Analyzed Mar 16, 2026

VikBooking Hotel Booking Engine & PMS Code Analysis

Dangerous Functions
5
Raw SQL Queries
2
6 prepared
Unescaped Output
7395
470 escaped
Nonce Checks
0
Capability Checks
0
File Operations
151
External Requests
3
Bundled Libraries
4

Dangerous Functions Found

unserialize$message->attachments = (array) @unserialize($message->attachments);admin\helpers\src\chat\storage\database.php:120
unserialize$record['devices'] = (array) unserialize($record['devices']);admin\helpers\src\dooraccess\factory.php:1755
unserialize$event = @unserialize($row->payload);admin\helpers\src\history\model\database.php:84
unserialize], unserialize($rates_data_sign));admin\helpers\src\model\pricing.php:410
unserialize], unserialize($rates_data_sign));admin\helpers\src\model\pricing.php:428

Bundled Libraries

PHPMailerTinyMCESelect2TCPDF1.0.004

SQL Query Safety

75% prepared8 total queries

Output Escaping

6% escaped7865 total outputs
Attack Surface
2 unprotected

VikBooking Hotel Booking Engine & PMS Attack Surface

Entry Points3
Unprotected2

AJAX Handlers 2

authwp_ajax_vikbookingvikbooking.php:202
noprivwp_ajax_vikbookingvikbooking.php:203

Shortcodes 1

[vikbooking] vikbooking.php:228
WordPress Hooks 49
actionadmin_enqueue_scriptsadmin\helpers\jv_helper.php:1957
actioninitvikbooking.php:27
actionautomatic_updates_completevikbooking.php:37
filterauto_update_pluginvikbooking.php:49
actionin_plugin_update_message-vikbooking/vikbooking.phpvikbooking.php:65
actionplugins_loadedvikbooking.php:77
actionplugins_loadedvikbooking.php:80
actionplugins_loadedvikbooking.php:81
actioncurrent_screenvikbooking.php:89
filterset-screen-optionvikbooking.php:90
filterset_screen_option_vikbooking_list_limitvikbooking.php:98
actioninitvikbooking.php:101
actionwp_logoutvikbooking.php:102
actionplugins_loadedvikbooking.php:105
actioninitvikbooking.php:151
actionadmin_menuvikbooking.php:214
actionwidgets_initvikbooking.php:217
actionwidgets_initvikbooking.php:225
actionvikbooking_before_dispatchvikbooking.php:304
filtervik_date_default_timezonevikbooking.php:364
actionvikbooking_after_dispatchvikbooking.php:370
actionadmin_post_vikbookingvikbooking.php:397
actionadmin_post_nopriv_vikbookingvikbooking.php:398
actionsave_postvikbooking.php:410
actiontrashed_postvikbooking.php:486
actionuntrashed_postvikbooking.php:506
actiondeleted_postvikbooking.php:526
filtermce_buttonsvikbooking.php:560
filtermce_external_pluginsvikbooking.php:563
actioninitvikbooking.php:572
actiondeleted_blogvikbooking.php:585
actionplugins_loadedvikbooking.php:601
actionvikbooking_cron_payments_scheduledvikbooking.php:609
actionvikbooking_cron_performance_cleanervikbooking.php:622
actionvikbooking_cron_door_access_controlvikbooking.php:637
actionvikbooking_cron_db_optimizationvikbooking.php:651
actionplugins_loadedvikbooking.php:662
filterplugin_action_linksvikbooking.php:709
actionvik_widget_before_dispatch_sitevikbooking.php:721
actionvik_widget_after_dispatch_sitevikbooking.php:737
filtervik_plugin_load_languagevikbooking.php:756
actionadmin_noticesvikbooking.php:780
actionvikbooking_after_display_dashboardvikbooking.php:879
filtervikbooking_display_view_config_globalvikbooking.php:896
actionvikbooking_before_dispatchvikbooking.php:903
filtervikbooking_fetch_rss_channelsvikbooking.php:923
actionvikbooking_before_use_rssvikbooking.php:932
actionadmin_footervikbooking.php:941
filterrun_wptexturizevikbooking.php:998

Scheduled Events 4

vikbooking_cron_payments_scheduled
vikbooking_cron_performance_cleaner
vikbooking_cron_door_access_control
vikbooking_cron_db_optimization
Maintenance & Trust

VikBooking Hotel Booking Engine & PMS Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 11, 2026
PHP min version7.4.0
Downloads235K

Community Trust

Rating96/100
Number of ratings60
Active installs9K
Alternatives

VikBooking Hotel Booking Engine & PMS Alternatives

Jomres Hotel Booking Engine for WordPress

Jomres Hotel Booking Engine for WordPress

jomres

A
85

Build your own Online Travel Agency like Booking.com or AirBNB

50 No CVEs
1Day Booking Engine

1Day Booking Engine

1day-io

A
85

Simple, modern and flexible booking engine for your hotel. Let customers book rooms easily without being redirected away from your website.

10 No CVEs
Saksh WP Hotel Booking Lite

Saksh WP Hotel Booking Lite

saksh-wp-hotel-booking-lite

A
92

Saksh WP Hotel Booking Lite is a booking plugin which offer way to sells hotel rooms using woocommerce and caputre online payment.

0 No CVEs
MotoPress Hotel Booking

MotoPress Hotel Booking

motopress-hotel-booking-lite

A
86

The #1 Hotel Booking and Vacation Rental Plugin for WordPress. Online payments, seasons, rates, free or paid extras, coupons, taxes & fees.

10K 4 CVEs
AweBooking – Hotel Booking System

AweBooking – Hotel Booking System

awebooking

C
63

Awebooking helps you to setup hotel booking system quickly, pleasantly and easily.

1K 1 unpatched
Developer Profile

VikBooking Hotel Booking Engine & PMS Developer Profile

e4jvikwp

7 plugins · 16K total installs

72
trust score
Avg Security Score
90/100
Avg Patch Time
244 days
View full developer profile
Detection Fingerprints

How We Detect VikBooking Hotel Booking Engine & PMS

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/vikbooking/assets/css/admin/admin.css/wp-content/plugins/vikbooking/assets/css/admin/bootstrap-datetimepicker.min.css/wp-content/plugins/vikbooking/assets/css/admin/custom.css/wp-content/plugins/vikbooking/assets/css/admin/jquery-ui.css/wp-content/plugins/vikbooking/assets/css/admin/responsive.css/wp-content/plugins/vikbooking/assets/css/site/admin.css/wp-content/plugins/vikbooking/assets/css/site/bootstrap-datetimepicker.min.css/wp-content/plugins/vikbooking/assets/css/site/custom.css+18 more
Script Paths
/wp-content/plugins/vikbooking/assets/js/admin/admin.js/wp-content/plugins/vikbooking/assets/js/admin/bootstrap-datepicker.min.js/wp-content/plugins/vikbooking/assets/js/admin/bootstrap-datetimepicker.min.js/wp-content/plugins/vikbooking/assets/js/admin/custom.js/wp-content/plugins/vikbooking/assets/js/admin/jquery-ui.min.js/wp-content/plugins/vikbooking/assets/js/admin/sortable.min.js+8 more
Version Parameters
vikbooking/assets/css/admin/admin.css?ver=vikbooking/assets/css/admin/bootstrap-datetimepicker.min.css?ver=vikbooking/assets/css/admin/custom.css?ver=vikbooking/assets/css/admin/jquery-ui.css?ver=vikbooking/assets/css/admin/responsive.css?ver=vikbooking/assets/css/site/admin.css?ver=vikbooking/assets/css/site/bootstrap-datetimepicker.min.css?ver=vikbooking/assets/css/site/custom.css?ver=vikbooking/assets/css/site/jquery-ui.css?ver=vikbooking/assets/css/site/responsive.css?ver=vikbooking/assets/js/admin/admin.js?ver=vikbooking/assets/js/admin/bootstrap-datepicker.min.js?ver=vikbooking/assets/js/admin/bootstrap-datetimepicker.min.js?ver=vikbooking/assets/js/admin/custom.js?ver=vikbooking/assets/js/admin/jquery-ui.min.js?ver=vikbooking/assets/js/admin/sortable.min.js?ver=vikbooking/assets/js/site/admin.js?ver=vikbooking/assets/js/site/bootstrap-datepicker.min.js?ver=vikbooking/assets/js/site/bootstrap-datetimepicker.min.js?ver=vikbooking/assets/js/site/custom.js?ver=vikbooking/assets/js/site/jquery-ui.min.js?ver=vikbooking/assets/js/site/sortable.min.js?ver=vikbooking/framework/admin/assets/css/admin.css?ver=vikbooking/framework/admin/assets/js/admin.js?ver=vikbooking/framework/site/assets/css/site.css?ver=vikbooking/framework/site/assets/js/site.js?ver=

HTML / DOM Fingerprints

CSS Classes
vikbooking-wrappervikbooking-page-titlevikbooking-search-formvikbooking-resultsvikbooking-calendarvikbooking-booking-formvikbooking-room-listvikbooking-admin-content+3 more
HTML Comments
<!-- No direct access --><!-- installer class will check the update status --><!-- installer class will check the update status --><!-- Due to WordPress 5.4.2 changes, we need to attach -->+17 more
Data Attributes
data-viewdata-controllerdata-task
JS Globals
VikBookingAdminJoomla
REST Endpoints
/wp-json/vikbooking/v1/booking/wp-json/vikbooking/v1/availability/wp-json/vikbooking/v1/payment/wp-json/vikbooking/v1/settings
Shortcode Output
[vikbooking]
FAQ

Frequently Asked Questions about VikBooking Hotel Booking Engine & PMS