The plugin does not have CSRF check in place when adding a tracking campaign, and does not escape the campaign fields when outputting them In attributes. As a result, attackers could make a logged in admin add tracking campaign with XSS payloads in them via a CSRF attack
XSS will be triggered in the Statistics Tracking Settings: https://example.com/wp-admin/admin.php?option=com_vikbooking&task;=trkconfig