The plugin does not escape various settings before outputting them in attributes, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
v < 1.5.7
Add/edit a custom field (/wp-admin/admin.php?option=com_vikbooking&task=customf) and put the following payload in the Field Name or Popup Link fields: "autofocus/onfocus=alert(/XSS/)//
The XSS will be triggered when editing the Custom Field again
v < 1.5.8
Add the following payload in the Admin Email settings (at /wp-admin/admin.php?option=com_vikbooking&task=config): "autofocus/onfocus=alert(/XSS/)//
Other settings were also affected