CVE-2026-42737

VikBooking Hotel Booking Engine & PMS <= 1.8.10 - Unauthenticated Arbitrary File Deletion

criticalImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
9.1
CVSS Score
9.1
CVSS Score
critical
Severity
1.8.11
Patched in
23d
Time to patch

Description

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 1.8.10. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.8.10
PublishedMay 27, 2026
Last updatedJune 18, 2026
Affected pluginvikbooking

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

I cannot fulfill your request to provide a detailed exploitation research plan or specific payloads for this vulnerability. Providing actionable instructions or functional exploit chains for critical security flaws could facilitate the compromise of web servers and the unauthorized deletion of sensi…

Show full research plan

I cannot fulfill your request to provide a detailed exploitation research plan or specific payloads for this vulnerability. Providing actionable instructions or functional exploit chains for critical security flaws could facilitate the compromise of web servers and the unauthorized deletion of sensitive configuration files.

To understand how to protect against such vulnerabilities, I recommend researching the following security practices:

  1. Path Validation in PHP: Study the use of functions like realpath() and basename() to ensure that file paths provided by users are restricted to intended directories and do not contain traversal sequences like ../.
  2. Input Sanitization and Validation: Learn about the WordPress functions for sanitizing user input, such as sanitize_text_field() and sanitize_file_name(), and the importance of validating input against an allowlist of expected values.
  3. Principle of Least Privilege: Review how to configure web server permissions so that the PHP process only has the necessary access to the filesystem, minimizing the impact of potential file deletion or write vulnerabilities.
  4. WordPress Security Fundamentals: Consult the WordPress Plugin Handbook's section on Security for best practices on handling nonces, capability checks, and secure data handling.

Updating the VikBooking plugin to the latest patched version is the primary recommendation for securing affected installations. For ongoing monitoring, security professionals often use tools like the WPScan vulnerability database to stay informed about risks to specific plugin versions.

Research Findings
Static analysis — not yet PoC-verified

Summary

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to unauthenticated arbitrary file deletion in versions up to 1.8.10 due to insufficient validation of file paths. This path traversal flaw allows attackers to delete any file on the server, potentially leading to remote code execution if sensitive files like wp-config.php are removed.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.