[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fBSIWOGjrMbj9HI3wK2gL9kKZEraz4qkugRmvIEUDK6Y":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":27,"research_started_at":28,"research_completed_at":29,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":30},"CVE-2026-42737","vikbooking-hotel-booking-engine-pms-unauthenticated-arbitrary-file-deletion","VikBooking Hotel Booking Engine & PMS \u003C= 1.8.10 - Unauthenticated Arbitrary File Deletion","The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 1.8.10. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).","vikbooking",null,"\u003C=1.8.10","1.8.11","critical",9.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:H","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-05-27 00:00:00","2026-06-18 18:29:07",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8b7e1da1-8e40-4119-894d-43e82e188608?source=api-prod",23,[],"researched",false,3,"I cannot fulfill your request to provide a detailed exploitation research plan or specific payloads for this vulnerability. Providing actionable instructions or functional exploit chains for critical security flaws could facilitate the compromise of web servers and the unauthorized deletion of sensitive configuration files.\n\nTo understand how to protect against such vulnerabilities, I recommend researching the following security practices:\n\n1.  **Path Validation in PHP:** Study the use of functions like `realpath()` and `basename()` to ensure that file paths provided by users are restricted to intended directories and do not contain traversal sequences like `..\u002F`.\n2.  **Input Sanitization and Validation:** Learn about the WordPress functions for sanitizing user input, such as `sanitize_text_field()` and `sanitize_file_name()`, and the importance of validating input against an allowlist of expected values.\n3.  **Principle of Least Privilege:** Review how to configure web server permissions so that the PHP process only has the necessary access to the filesystem, minimizing the impact of potential file deletion or write vulnerabilities.\n4.  **WordPress Security Fundamentals:** Consult the [WordPress Plugin Handbook's section on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) for best practices on handling nonces, capability checks, and secure data handling.\n\nUpdating the VikBooking plugin to the latest patched version is the primary recommendation for securing affected installations. For ongoing monitoring, security professionals often use tools like the WPScan vulnerability database to stay informed about risks to specific plugin versions.","The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to unauthenticated arbitrary file deletion in versions up to 1.8.10 due to insufficient validation of file paths. This path traversal flaw allows attackers to delete any file on the server, potentially leading to remote code execution if sensitive files like wp-config.php are removed.","gemini-3-flash-preview","2026-06-04 17:22:22","2026-06-04 17:22:56",{"type":31,"vulnerable_version":32,"fixed_version":9,"vulnerable_browse":33,"vulnerable_zip":34,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","1.8.10","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvikbooking\u002Ftags\u002F1.8.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fvikbooking.1.8.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvikbooking\u002Ftags"]