CVE-2026-42737
Deferred Deferred - Pending Action
Path Traversal in VikBooking Hotel Booking Engine & PMS

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: Patchstack

Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Path Traversal.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42737
EUVD
EUVD-2026-32189
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
vikbooking vikbooking to 1.8.9 (inc)
vikbooking vikbooking From 1.0 (inc) to 1.8.9 (inc)
vikbooking vikbooking 1.8.9
vikbooking vikbooking 1.8.10
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability, identified as CVE-2026-42737, affects the VikBooking Hotel Booking Engine & PMS WordPress plugin versions 1.8.9 and below. It is a Path Traversal issue that allows unauthenticated attackers to delete arbitrary files from the website. This flaw falls under the OWASP Top 10 category A1: Broken Access Control, meaning attackers can bypass restrictions to access or modify files they should not be able to.

The vulnerability has a high severity score of 8.6, indicating it is dangerous and can be exploited widely.

Compliance Impact

The vulnerability allows unauthenticated attackers to delete files from the website, which can lead to site breakage or malfunction.

Such unauthorized file deletion and potential disruption of service could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity and availability.

Specifically, the vulnerability falls under OWASP Top 10's A1: Broken Access Control category, indicating a failure to properly restrict access, which is critical for maintaining compliance with data protection regulations.

Organizations using the affected plugin should update to the patched version 1.8.10 or apply mitigation measures to reduce risk and maintain compliance.

Impact Analysis

Exploitation of this vulnerability allows attackers to delete files on the affected website without authentication. This can lead to site breakage or malfunction, potentially causing downtime, loss of data, or disruption of services provided by the website.

Detection Guidance

This vulnerability allows unauthenticated attackers to delete files via a path traversal flaw in the VikBooking Hotel Booking Engine & PMS plugin. Detection involves monitoring for suspicious HTTP requests attempting to exploit path traversal or arbitrary file deletion.

You can detect potential exploitation attempts by inspecting web server logs for unusual URL patterns containing directory traversal sequences such as "../" or encoded variants.

Example commands to search for such patterns in Apache or Nginx access logs:

  • grep -iE "\.\./|%2e%2e" /var/log/apache2/access.log
  • grep -iE "\.\./|%2e%2e" /var/log/nginx/access.log

Additionally, monitoring for unexpected file deletions or errors related to missing files in the website directory may indicate exploitation.

Mitigation Strategies

The primary immediate mitigation is to update the VikBooking Hotel Booking Engine & PMS plugin to version 1.8.10 or later, where this vulnerability is patched.

Until the update can be applied, it is advised to implement the mitigation rule provided by Patchstack to block attacks exploiting this vulnerability.

You may also seek assistance from your hosting provider or developer to apply temporary protections such as web application firewall (WAF) rules blocking path traversal attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42737. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart