Skip to main content

Travel Booking CVE-2026-56059

| EUVDEUVD-2026-39713 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-26 audit@patchstack.com GHSA-w944-78mf-7qrv
9.9
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable upload exploitable by a low-privileged Subscriber (PR:L) with no user interaction; arbitrary PHP execution escapes the app to the host, justifying S:C and full C/I/A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:59 vuln.today

DescriptionCVE.org

Subscriber Arbitrary File Upload in Travel Booking <= 2.2.5 versions.

AnalysisAI

Arbitrary file upload in the Travel Booking WordPress theme (versions <= 2.2.5) lets an authenticated low-privileged Subscriber upload files of dangerous types, enabling web shell deployment and remote code execution. The CVSS 3.1 base score is 9.9 with a scope change (S:C), reflecting that a minimally-privileged account can fully compromise the underlying host. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain Subscriber account
Delivery
Authenticate to WordPress
Exploit
Upload crafted PHP via theme handler
Execution
Request uploaded file URL
Persist
Execute web shell as web server
Impact
Full site and host compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated Subscriber-level account (CVSS PR:L), so the attacker must be able to obtain one - trivial where WordPress self-registration is enabled, but blocked entirely where registration is disabled or restricted to higher roles. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed in completeness but consistent in direction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free Subscriber account on a Travel Booking site that allows self-registration, logs in, and submits a crafted request to the theme's upload functionality containing a PHP web shell that bypasses the missing file-type validation. The server stores the file in a web-accessible directory; the attacker then requests its URL to execute arbitrary code and take over the site. …
Remediation Upgrade the Travel Booking theme to a version newer than 2.2.5 once the vendor publishes a fixed release; no exact patched version is confirmed in the available data, so verify the current version against the Patchstack advisory at https://patchstack.com/database/wordpress/theme/travel-booking/vulnerability/wordpress-travel-booking-theme-2-2-5-arbitrary-file-upload-vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify WordPress installations using Travel Booking theme versions ≤2.2.5; disable the theme or implement server-side upload filtering to block executable file types. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56059 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy