The plugin does not escape various settings before outputting them in attributes, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
v < 1.5.7 Add/edit a custom field (/wp-admin/admin.php?option=com_vikbooking&task;=customf) and put the following payload in the Field Name or Popup Link fields: "autofocus/onfocus=alert(/XSS/)// The XSS will be triggered when editing the Custom Field again v < 1.5.8 Add the following payload in the Admin Email settings (at /wp-admin/admin.php?option=com_vikbooking&task;=config): "autofocus/onfocus=alert(/XSS/)// Other settings were also affected