Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
Remote CSRF needs no attacker privileges (PR:N) but requires admin interaction (UI:R); traversal deletes files beyond the plugin (S:C) causing availability loss (A:H), with no confidentiality impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS allows Path Traversal.
This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through 1.8.12.
AnalysisAI
Arbitrary file deletion in the VikBooking Hotel Booking Engine & PMS WordPress plugin (versions up to and including 1.8.12) is reachable via a cross-site request forgery flaw that lets an attacker abuse a path-traversal-capable file operation. By tricking a logged-in administrator into visiting a malicious page, a remote unauthenticated attacker can forge a request that deletes arbitrary files on the WordPress host, potentially disabling the site. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a victim who is currently authenticated to WordPress with sufficient privileges to invoke the plugin's file-management functionality (typically an administrator) and who must perform user interaction - visiting an attacker-controlled page or clicking a crafted link (UI:R) - while that session is active. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H, base 7.4) reflects a network-reachable, low-complexity attack requiring no attacker privileges but requiring victim interaction (UI:R), with a changed scope and a high availability impact only - no confidentiality or integrity loss is scored despite the primitive being file deletion, which is a notable NVD/Patchstack scoring choice worth verifying since deleting files arguably harms integrity as well. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a web page containing a hidden auto-submitting form or image request that targets the VikBooking file-deletion handler with a traversal path such as ../../../../wp-config.php. They send the link to a hotel's WordPress administrator, and when that logged-in admin opens it, the browser silently submits the forged request under the admin's session, deleting the targeted file and potentially taking the site offline. … |
| Remediation | No vendor-released patch version was identified in the available data; the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-8-12-csrf-to-arbitrary-file-deletion-vulnerability) should be consulted for the fixed release, and administrators should update VikBooking to any version later than 1.8.12 once confirmed by the vendor. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Scan WordPress installations to identify all systems running VikBooking ≤1.8.12 and document affected site inventory. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8 allows direct access to menus, allowing an authe
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8's access control mechanism fails to properly res
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.7.2 does not sanitise and escape some of its setting
Cross-Site Request Forgery (CSRF) vulnerability in E4J s.R.L. Rated high severity (CVSS 8.8), this vulnerability is remo
Stored cross-site scripting in the VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.
Stored cross-site scripting in the VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.
Reflected Cross-Site Scripting in VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.1
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versio
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41097
GHSA-c847-9rm9-gc74