CVE-2026-42737
Path Traversal in VikBooking Hotel Booking Engine & PMS
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vikbooking | vikbooking | to 1.8.9 (inc) |
| vikbooking | vikbooking | From 1.0 (inc) to 1.8.9 (inc) |
| vikbooking | vikbooking | 1.8.9 |
| vikbooking | vikbooking | 1.8.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability, identified as CVE-2026-42737, affects the VikBooking Hotel Booking Engine & PMS WordPress plugin versions 1.8.9 and below. It is a Path Traversal issue that allows unauthenticated attackers to delete arbitrary files from the website. This flaw falls under the OWASP Top 10 category A1: Broken Access Control, meaning attackers can bypass restrictions to access or modify files they should not be able to.
The vulnerability has a high severity score of 8.6, indicating it is dangerous and can be exploited widely.
How can this vulnerability impact me? :
Exploitation of this vulnerability allows attackers to delete files on the affected website without authentication. This can lead to site breakage or malfunction, potentially causing downtime, loss of data, or disruption of services provided by the website.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows unauthenticated attackers to delete files via a path traversal flaw in the VikBooking Hotel Booking Engine & PMS plugin. Detection involves monitoring for suspicious HTTP requests attempting to exploit path traversal or arbitrary file deletion.
You can detect potential exploitation attempts by inspecting web server logs for unusual URL patterns containing directory traversal sequences such as "../" or encoded variants.
Example commands to search for such patterns in Apache or Nginx access logs:
- grep -iE "\.\./|%2e%2e" /var/log/apache2/access.log
- grep -iE "\.\./|%2e%2e" /var/log/nginx/access.log
Additionally, monitoring for unexpected file deletions or errors related to missing files in the website directory may indicate exploitation.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation is to update the VikBooking Hotel Booking Engine & PMS plugin to version 1.8.10 or later, where this vulnerability is patched.
Until the update can be applied, it is advised to implement the mitigation rule provided by Patchstack to block attacks exploiting this vulnerability.
You may also seek assistance from your hosting provider or developer to apply temporary protections such as web application firewall (WAF) rules blocking path traversal attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to delete files from the website, which can lead to site breakage or malfunction.
Such unauthorized file deletion and potential disruption of service could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity and availability.
Specifically, the vulnerability falls under OWASP Top 10's A1: Broken Access Control category, indicating a failure to properly restrict access, which is critical for maintaining compliance with data protection regulations.
Organizations using the affected plugin should update to the patched version 1.8.10 or apply mitigation measures to reduce risk and maintain compliance.