VikBooking Hotel Booking Engine & PMS < 1.5.7 - Stored Cross-Site Scripting via CSRF

The plugin does not have CSRF check in place when adding a tracking campaign, and does not escape the campaign fields when outputting them In attributes. As a result, attackers could make a logged in admin add tracking campaign with XSS payloads in them via a CSRF attack

PoC

XSS will be triggered in the Statistics Tracking Settings: https://example.com/wp-admin/admin.php?option=com_vikbooking&amp;task;=trkconfig