CVE-2026-42737

e4jvikwp · VikBooking Hotel Booking Engine & PMS

A Path Traversal vulnerability exists in the VikBooking Hotel Booking Engine & PMS, allowing attackers to access restricted directories on the host server.

Executive summary

A Path Traversal vulnerability in the VikBooking Hotel Booking Engine & PMS could allow an attacker to bypass directory restrictions and access sensitive files on the server.

Vulnerability

The vulnerability is identified as an "Improper Limitation of a Pathname to a Restricted Directory" (Path Traversal). This allows an attacker to manipulate file paths to access unauthorized files, though the specific authentication requirement is not explicitly detailed.

Business impact

With a CVSS score of 8.6, this vulnerability represents a high risk of sensitive data exposure, including configuration files, database credentials, or customer information. Successful exploitation could lead to full system compromise depending on the permissions of the web server process.

Remediation

Immediate Action: Update the VikBooking plugin to the latest version provided by the vendor to remediate the directory traversal flaw.

Proactive Monitoring: Review web server logs for suspicious URL patterns containing directory traversal sequences such as "../".

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block directory traversal attempts targeting the application.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Administrators must prioritize updating the VikBooking plugin immediately to mitigate the risk of unauthorized file access. Ensure that the web server process is running with the minimum necessary filesystem permissions to limit the potential impact of such vulnerabilities.