Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Path Traversal.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.9.
Published: 2026-05-27
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper limitation of a pathname to a restricted directory, a path traversal flaw, allows an attacker to supply a file path that references files outside the intended plugin directory. This flaw can cause the plugin to delete arbitrary files on the server, effectively enabling arbitrary file deletion. The impact is a loss of data integrity and availability, and potentially removal of critical system or website files.

Affected Systems

The vulnerability affects the VikBooking Hotel Booking Engine & PMS WordPress plugin from all earlier releases through version 1.8.9 installed by the vendor e4jvikwp. Any WordPress site running a vulnerable instance of this plugin is at risk.

Risk and Exploitability

The flaw carries a CVSS score of 8.6, classifying it as high severity. The EPSS score is not available, and the vulnerability is not cataloged in CISA KEV, suggesting no known exploits in the wild to date. However, the path traversal nature means an attacker can trigger the deletion by submitting a specially crafted request to the plugin's file deletion endpoint. Successful exploitation would remove arbitrary files, potentially causing site downtime or data loss. Given the high score and the possibility of remote exploitation, the risk is substantial for sites that have not applied the fix.

Generated by OpenCVE AI on May 27, 2026 at 11:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade VikBooking to the latest released version that includes the path traversal fix.
  • Restrict file deletion permissions in the plugin’s directories to prevent unauthorized removal of files.
  • Enable a web application firewall or add server-side validation rules to block requests containing traversal patterns such as '..' or encoded slashes.

Generated by OpenCVE AI on May 27, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Path Traversal.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.9.
Title WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.9 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-27T10:52:10.500Z

Reserved: 2026-04-29T09:05:25.570Z

Link: CVE-2026-42737

cve-icon Vulnrichment

Updated: 2026-05-27T10:52:05.359Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T11:16:20.350

Modified: 2026-05-27T14:50:47.627

Link: CVE-2026-42737

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T11:30:25Z

Weaknesses