CVE-2026-42737 Overview
CVE-2026-42737 is a path traversal vulnerability in the e4jvikwp VikBooking Hotel Booking Engine & PMS plugin for WordPress. The flaw affects all versions up to and including 1.8.9. An unauthenticated attacker can manipulate file path parameters to escape the intended directory and delete arbitrary files on the host. Patchstack classifies the issue as an arbitrary file deletion vulnerability stemming from improper limitation of a pathname to a restricted directory [CWE-22]. Deleting critical files such as wp-config.php can force WordPress into a setup state, enabling site takeover.
Critical Impact
Unauthenticated network attackers can delete arbitrary files on vulnerable WordPress hosts running VikBooking <= 1.8.9, leading to denial of service and potential site takeover.
Affected Products
- VikBooking Hotel Booking Engine & PMS WordPress plugin, versions through 1.8.9
- WordPress sites running the vulnerable vikbooking plugin
- Hospitality and property management deployments dependent on the plugin
Discovery Timeline
- 2026-05-27 - CVE-2026-42737 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-42737
Vulnerability Analysis
The vulnerability resides in a file-handling routine of the VikBooking plugin that accepts a user-controlled path parameter without proper canonicalization or restriction. An attacker submits a crafted request containing directory traversal sequences such as ../ to reference files outside the intended plugin directory. The application then performs a delete operation against the resolved path. Because the operation requires no authentication and no user interaction, an attacker can target the WordPress installation remotely over HTTP. Successful exploitation removes files belonging to the web application or operating system context accessible to the PHP process.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. The plugin fails to validate or normalize file path input before invoking a deletion function. Allowlist checks, realpath resolution, and base-directory containment are absent or insufficient in versions through 1.8.9.
Attack Vector
The attack vector is network-based with low complexity. The attacker sends a single HTTP request containing a traversal payload in the vulnerable parameter. No privileges and no user interaction are required. The scope is changed because deleted files can affect components beyond the plugin itself, including core WordPress files, leading to high availability impact. See the Patchstack Vulnerability Report for additional context.
// No verified proof-of-concept code is publicly available.
// Refer to the Patchstack advisory for technical details.
Detection Methods for CVE-2026-42737
Indicators of Compromise
- HTTP requests to VikBooking plugin endpoints containing traversal sequences such as ../, ..%2f, or encoded variants in file path parameters
- Unexpected deletion of WordPress core files, including wp-config.php, .htaccess, or index.php
- WordPress installation entering a setup or installation state without administrator action
- Web server 404 errors for previously valid resources following anomalous plugin requests
Detection Strategies
- Inspect web server access logs for requests targeting /wp-content/plugins/vikbooking/ paths with directory traversal patterns in query strings or POST bodies
- Monitor file integrity on WordPress directories and alert on unexpected file deletions
- Deploy WAF rules that block traversal sequences in parameters processed by the VikBooking plugin
Monitoring Recommendations
- Enable file integrity monitoring on the WordPress document root and plugin directories
- Forward web server, PHP-FPM, and WAF logs to a centralized analytics platform for correlation
- Alert on plugin parameter values containing path separators or URL-encoded traversal tokens
How to Mitigate CVE-2026-42737
Immediate Actions Required
- Identify all WordPress instances running the VikBooking Hotel Booking Engine & PMS plugin and confirm the installed version
- Upgrade the plugin to a fixed version published after 1.8.9 once released by e4jvikwp
- Deactivate and remove the plugin on sites that cannot be updated immediately
- Restore any deleted files from known-good backups and verify WordPress core integrity
Patch Information
A patched release is referenced through the Patchstack Vulnerability Report. Apply the latest version provided by the vendor on the WordPress plugin repository.
Workarounds
- Block external requests to vulnerable VikBooking endpoints at the WAF or reverse proxy until patching is complete
- Restrict the PHP process file system permissions so it cannot delete WordPress core or configuration files
- Enforce WAF signatures that reject path parameters containing .., %2e%2e, or absolute path prefixes
# Example ModSecurity rule to block traversal payloads against VikBooking
SecRule REQUEST_URI "@contains /wp-content/plugins/vikbooking/" \
"chain,phase:2,deny,status:403,id:1004273,msg:'VikBooking path traversal attempt'"
SecRule ARGS|REQUEST_URI "@rx (\.\./|\.\.\\|%2e%2e%2f|%2e%2e/)" "t:none,t:lowercase,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
