CVE-2026-42737
e4jvikwp · VikBooking Hotel Booking Engine & PMS
A Path Traversal vulnerability exists in the VikBooking Hotel Booking Engine & PMS, allowing attackers to access restricted directories on the host server.
Executive summary
A Path Traversal vulnerability in the VikBooking Hotel Booking Engine & PMS could allow an attacker to bypass directory restrictions and access sensitive files on the server.
Vulnerability
The vulnerability is identified as an "Improper Limitation of a Pathname to a Restricted Directory" (Path Traversal). This allows an attacker to manipulate file paths to access unauthorized files, though the specific authentication requirement is not explicitly detailed.
Business impact
With a CVSS score of 8.6, this vulnerability represents a high risk of sensitive data exposure, including configuration files, database credentials, or customer information. Successful exploitation could lead to full system compromise depending on the permissions of the web server process.
Remediation
Immediate Action: Update the VikBooking plugin to the latest version provided by the vendor to remediate the directory traversal flaw.
Proactive Monitoring: Review web server logs for suspicious URL patterns containing directory traversal sequences such as "../".
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block directory traversal attempts targeting the application.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Administrators must prioritize updating the VikBooking plugin immediately to mitigate the risk of unauthorized file access. Ensure that the web server process is running with the minimum necessary filesystem permissions to limit the potential impact of such vulnerabilities.