CVE-2026-42737

Vulnerability

A path traversal vulnerability (CWE-22) exists in the WordPress plugin VikBooking Hotel Booking Engine & PMS versions from n/a through 1.8.9 [1]. The software fails to properly restrict file paths supplied via user input, enabling an attacker to specify arbitrary file paths on the server [1]. No authentication or special privileges are required to reach the vulnerable code path [1].

Exploitation

An unauthenticated remote attacker can exploit this by sending a crafted HTTP request containing path traversal sequences (e.g., ../) to the affected endpoint [1]. The attacker simply needs network access to the WordPress site; no user interaction or prior access is needed [1]. The exploit is considered highly dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation allows the attacker to delete arbitrary files from the server [1]. If critical WordPress or plugin core files are deleted, the site can break and stop functioning entirely, leading to a denial of service [1]. The CVSS v3 score of 8.6 (High) reflects the low attack complexity and high impact on availability [1].

Mitigation

Users must update to version 1.8.10 or later, which resolves the vulnerability [1]. Those unable to update immediately can apply a virtual mitigation rule provided by Patchstack to block exploit attempts [1]. No other workarounds are documented in the references. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) as of this writing.