Skip to main content

VikBooking EUVDEUVD-2026-41097

| CVE-2026-57723 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-01 Patchstack GHSA-c847-9rm9-gc74
7.4
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.4 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
vuln.today AI
7.4 HIGH

Remote CSRF needs no attacker privileges (PR:N) but requires admin interaction (UI:R); traversal deletes files beyond the plugin (S:C) causing availability loss (A:H), with no confidentiality impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 18:21 vuln.today

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS allows Path Traversal.

This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through 1.8.12.

AnalysisAI

Arbitrary file deletion in the VikBooking Hotel Booking Engine & PMS WordPress plugin (versions up to and including 1.8.12) is reachable via a cross-site request forgery flaw that lets an attacker abuse a path-traversal-capable file operation. By tricking a logged-in administrator into visiting a malicious page, a remote unauthenticated attacker can forge a request that deletes arbitrary files on the WordPress host, potentially disabling the site. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host malicious CSRF page
Delivery
Lure logged-in admin to click
Exploit
Browser submits forged file-delete request
Execution
Path traversal escapes plugin directory
Persist
Arbitrary file deleted on host
Impact
Site availability disrupted

Vulnerability AssessmentAI

Exploitation Exploitation requires a victim who is currently authenticated to WordPress with sufficient privileges to invoke the plugin's file-management functionality (typically an administrator) and who must perform user interaction - visiting an attacker-controlled page or clicking a crafted link (UI:R) - while that session is active. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H, base 7.4) reflects a network-reachable, low-complexity attack requiring no attacker privileges but requiring victim interaction (UI:R), with a changed scope and a high availability impact only - no confidentiality or integrity loss is scored despite the primitive being file deletion, which is a notable NVD/Patchstack scoring choice worth verifying since deleting files arguably harms integrity as well. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a web page containing a hidden auto-submitting form or image request that targets the VikBooking file-deletion handler with a traversal path such as ../../../../wp-config.php. They send the link to a hotel's WordPress administrator, and when that logged-in admin opens it, the browser silently submits the forged request under the admin's session, deleting the targeted file and potentially taking the site offline. …
Remediation No vendor-released patch version was identified in the available data; the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-8-12-csrf-to-arbitrary-file-deletion-vulnerability) should be consulted for the fixed release, and administrators should update VikBooking to any version later than 1.8.12 once confirmed by the vendor. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Scan WordPress installations to identify all systems running VikBooking ≤1.8.12 and document affected site inventory. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41097 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy