What is the CVSS score of CVE-2026-42737?

CVE-2026-42737 has a CVSS 3.1 base score of 8.6 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of VikBooking are affected by CVE-2026-42737?

The VikBooking Hotel Booking Engine & PMS WordPress plugin (e4jvikwp) through version 1.8.9 contains a high-severity path traversal vulnerability enabling unauthenticated attackers to delete…

VikBooking CVE-2026-42737

Q: How to fix or mitigate CVE-2026-42737?

Within 24 hours: Conduct an audit of all WordPress installations to identify e4jvikwp version 1.8.9 and earlier; disable the plugin immediately if business operations permit, or document compensating controls if unavoidable. Within 7 days: Deploy Web Application Firewall rules to block path traversal attempts targeting the plugin; monitor vendor advisories daily for patch release. Within 30 days: Evaluate migration to alternative hotel booking solutions or implement architectural workarounds to eliminate the plugin dependency; if plugin remains in use, establish permanent monitoring and backup procedures.

EUVD-2026-32189 HIGH

Path Traversal (CWE-22)

2026-05-27 audit@patchstack.com

GHSA-w2ch-gmrj-rgw5

Path Traversal

8.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

May 27, 2026 - 20:54 vuln.today

DescriptionNVD

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Path Traversal.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.9.

AnalysisAI

Path traversal in the VikBooking Hotel Booking Engine & PMS WordPress plugin (e4jvikwp) through version 1.8.9 allows remote unauthenticated attackers to delete arbitrary files on the host. The CVSS vector (A:H only, with C:N/I:N) and the Patchstack reference title both indicate the concrete impact is arbitrary file deletion rather than data disclosure, which can corrupt or take down the WordPress site. …

RemediationAI

Within 24 hours: Conduct an audit of all WordPress installations to identify e4jvikwp version 1.8.9 and earlier; disable the plugin immediately if business operations permit, or document compensating controls if unavoidable. Within 7 days: Deploy Web Application Firewall rules to block path traversal attempts targeting the plugin; monitor vendor advisories daily for patch release. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-42737 vulnerability details – vuln.today

Back

VikBooking CVE-2026-42737

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code