Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Path Traversal.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.9.
AnalysisAI
Path traversal in the VikBooking Hotel Booking Engine & PMS WordPress plugin (e4jvikwp) through version 1.8.9 allows remote unauthenticated attackers to delete arbitrary files on the host. The CVSS vector (A:H only, with C:N/I:N) and the Patchstack reference title both indicate the concrete impact is arbitrary file deletion rather than data disclosure, which can corrupt or take down the WordPress site. No public exploit has been identified and the EPSS score is very low (0.05%, 15th percentile), indicating this is not yet being broadly exploited despite the high 8.6 CVSS rating.
Technical ContextAI
VikBooking is a commercial hotel booking/property-management plugin for WordPress, written in PHP. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), meaning a request parameter that designates a file path is incorporated into a filesystem operation without neutralizing directory-traversal sequences such as '../'. Because the CVSS scope is Changed (S:C) with only Availability impact (A:H), the traversal lets an attacker reach files outside the plugin's intended directory and remove them, affecting the broader web server/WordPress installation rather than only plugin-owned resources. No CPE strings were provided in the source data, so exact platform/configuration enumeration relies on the EUVD version range only.
RemediationAI
No vendor-released patch version is identified in the available data; the only confirmed fact is that versions up to and including 1.8.9 are affected, so administrators should upgrade to the first release newer than 1.8.9 once the vendor publishes it and monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-8-9-arbitrary-file-deletion-vulnerability?_s_id=cve) and the e4j vendor site for the fixed build. Until a patched version is confirmed, deploy a WAF rule (or Patchstack vPatch) to block path-traversal sequences ('../', encoded variants like %2e%2e%2f, and null bytes) on the plugin's request handlers, which has the trade-off of possible false positives on legitimate file parameters; restrict access to the plugin's vulnerable AJAX/admin-ajax or front-end endpoints via network/host rules where feasible; and ensure off-site backups and least-privilege filesystem permissions for the web server user so an arbitrary-deletion attempt cannot reach critical files like wp-config.php (trade-off: tighter permissions may break plugins that legitimately write outside uploads). If the plugin is non-essential, disabling/removing it eliminates the exposure entirely.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32189
GHSA-w2ch-gmrj-rgw5