Skip to main content

VikBooking CVE-2026-42737

| EUVDEUVD-2026-32189 HIGH
Path Traversal (CWE-22)
2026-05-27 audit@patchstack.com GHSA-w2ch-gmrj-rgw5
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:54 vuln.today

DescriptionCVE.org

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Path Traversal.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.9.

AnalysisAI

Path traversal in the VikBooking Hotel Booking Engine & PMS WordPress plugin (e4jvikwp) through version 1.8.9 allows remote unauthenticated attackers to delete arbitrary files on the host. The CVSS vector (A:H only, with C:N/I:N) and the Patchstack reference title both indicate the concrete impact is arbitrary file deletion rather than data disclosure, which can corrupt or take down the WordPress site. No public exploit has been identified and the EPSS score is very low (0.05%, 15th percentile), indicating this is not yet being broadly exploited despite the high 8.6 CVSS rating.

Technical ContextAI

VikBooking is a commercial hotel booking/property-management plugin for WordPress, written in PHP. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), meaning a request parameter that designates a file path is incorporated into a filesystem operation without neutralizing directory-traversal sequences such as '../'. Because the CVSS scope is Changed (S:C) with only Availability impact (A:H), the traversal lets an attacker reach files outside the plugin's intended directory and remove them, affecting the broader web server/WordPress installation rather than only plugin-owned resources. No CPE strings were provided in the source data, so exact platform/configuration enumeration relies on the EUVD version range only.

RemediationAI

No vendor-released patch version is identified in the available data; the only confirmed fact is that versions up to and including 1.8.9 are affected, so administrators should upgrade to the first release newer than 1.8.9 once the vendor publishes it and monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-8-9-arbitrary-file-deletion-vulnerability?_s_id=cve) and the e4j vendor site for the fixed build. Until a patched version is confirmed, deploy a WAF rule (or Patchstack vPatch) to block path-traversal sequences ('../', encoded variants like %2e%2e%2f, and null bytes) on the plugin's request handlers, which has the trade-off of possible false positives on legitimate file parameters; restrict access to the plugin's vulnerable AJAX/admin-ajax or front-end endpoints via network/host rules where feasible; and ensure off-site backups and least-privilege filesystem permissions for the web server user so an arbitrary-deletion attempt cannot reach critical files like wp-config.php (trade-off: tighter permissions may break plugins that legitimately write outside uploads). If the plugin is non-essential, disabling/removing it eliminates the exposure entirely.

Share

CVE-2026-42737 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy