CVE-2022-1409

HIGH

Vikwp Hotel Booking Engine & Pms < 1.5.8 - Unrestricted File Upload

Title source: rule
STIX 2.1

Description

The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.8 does not properly validate images, allowing high privilege users such as administrators to upload PHP files disguised as images and containing malicious PHP code

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/1330f8f7-4a59-4e9d-acae-21656a4101fe

Scores

CVSS v3 7.2
EPSS 0.0091
EPSS Percentile 75.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (1)
vikwp/hotel_booking_engine_\&_pms < 1.5.8
Published May 16, 2022
Tracked Since Feb 18, 2026