CVE-2026-42737— WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.9 - Arbitrary File Deletion vulnerability
Possible ATT&CK Techniques 1AI
T1195 · Supply Chain CompromiseGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42737
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.9 - Arbitrary File Deletion vulnerability
Source: NVD (National Vulnerability Database)
Vulnerability Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Path Traversal.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.9.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| e4jvikwp | VikBooking Hotel Booking Engine & PMS | 0 ~ 1.8.9 | - |
II. Public POCs for CVE-2026-42737
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42737
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-42737 (1)
IV. Related Vulnerabilities
Same product: VikBooking Hotel Booking Engine & PMS
- CVE-2026-42762
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1. - CVE-2025-49918
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1. - CVE-2025-5803
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1. - CVE-2024-13616
VikBooking < 1.7.2 - Admin+ Stored XSS - CVE-2025-22670
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.
Same vendor: e4jvikwp
- CVE-2026-42762
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1. - CVE-2026-25025
WordPress VikRestaurants plugin <= 1.5.2 - Reflected Cross S - CVE-2025-49918
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1. - CVE-2025-14049
VikRentItems Flexible Rental Management System <= 1.2.0 - Re - CVE-2025-13724
VikRentCar Car Rental Management System <= 1.4.4 - Authentic
Same weakness: CWE-22
- CVE-2026-42757
WordPress WebinarIgnition plugin < 4.08.253 - Arbitrary File - CVE-2026-42756
WordPress QuickWebP – Compress / Optimize Images & Convert W - CVE-2024-47267
Synology Surveillance Station目录穿越漏洞 - CVE-2026-41009
Local Blobstore may allow arbitrary reads/deletes - CVE-2026-44788
SharpCompress: Directory traversal via directory entries in
V. Comments for CVE-2026-42737
No comments yet