CVE-2024-11641

HIGH 8.8

VikBooking Hotel Booking Engine & PMS <= 1.7.2 - Cross-Site Request Forgery to Authenticated (Subscriber+) Arbitrary File Upload

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.2. This is due to missing or incorrect nonce validation on the 'save' function. This makes it possible for unauthenticated attackers to change plugin access privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows attackers with subscriber-level privileges and above to upload arbitrary files on the affected site's server which may make remote code execution possible.

CWE	CWE-352
Vendor	e4jvikwp
Product	vikbooking hotel booking engine & pms
Published	Jan 26, 2025
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for e4jvikwp vikbooking hotel booking engine & pms

Be the first to know when new high vulnerabilities affecting e4jvikwp vikbooking hotel booking engine & pms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

e4jvikwp / VikBooking Hotel Booking Engine & PMS

0 ≤ 1.7.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/6eb6611d-7a4b-4ca8-b9cc-c156437e89b5?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3225861/vikbooking

Credits

Noah Stead