CVE-2022-1409
HIGHVikBooking Hotel Booking Engine & PMS < 1.5.8 - Authenticated Arbitrary PHP File Upload via Image Validation Bypass
Title source: llmDescription
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.8 does not properly validate images, allowing high privilege users such as administrators to upload PHP files disguised as images and containing malicious PHP code
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/1330f8f7-4a59-4e9d-acae-21656a4101fe
Scores
CVSS v3
7.2
EPSS
0.0144
EPSS Percentile
69.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
vikwp/hotel_booking_engine_\&_pms
< 1.5.8
Published
May 16, 2022
Tracked Since
Feb 18, 2026