CVE-2026-57723 in VikBooking Hotel Booking Engine & PMS Plugininfo

Summary

by MITRE • 07/01/2026

Cross-Site Request Forgery (CSRF) vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS allows Path Traversal.

This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through 1.8.12.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/01/2026

The Cross-Site Request Forgery vulnerability in the e4jvikwp VikBooking Hotel Booking Engine & PMS represents a critical security flaw that combines two distinct but related attack vectors. This vulnerability manifests as a path traversal issue that can be exploited through CSRF techniques, creating a dangerous combination that significantly amplifies the potential impact on affected systems. The vulnerability affects all versions from the initial release through version 1.8.12, indicating a prolonged period during which systems remained exposed to this threat without proper protection mechanisms.

The technical flaw stems from insufficient validation of user input and inadequate protection against unauthorized requests originating from external domains. When a malicious actor crafts a specially designed request that leverages CSRF techniques combined with path traversal methods, they can manipulate the application's behavior to access restricted files or directories within the server's file system. This occurs because the application fails to properly authenticate and validate incoming requests, particularly those that attempt to traverse directory structures through crafted parameters or request paths.

The operational impact of this vulnerability extends far beyond simple data exposure, as it creates multiple attack surfaces for threat actors seeking to compromise hotel booking systems and their underlying infrastructure. Attackers can exploit this weakness to access sensitive configuration files, user credentials stored in database connection strings, or even execute arbitrary code if the system architecture allows such operations. The combination of CSRF and path traversal means that attackers don't merely need to trick users into clicking malicious links but can also directly manipulate file access patterns through carefully crafted requests that bypass normal authorization checks.

The security implications of this vulnerability align with CWE-352, which specifically addresses Cross-Site Request Forgery vulnerabilities, while the path traversal aspect corresponds to CWE-22, covering improper limitation of a pathname to a restricted directory. These weaknesses together create a particularly dangerous scenario where attackers can potentially gain unauthorized access to critical system components and sensitive data. From an ATT&CK framework perspective, this vulnerability maps to techniques involving credential access through web application attacks and privilege escalation by accessing system files that should remain protected from unauthorized access.

Organizations using VikBooking Hotel Booking Engine & PMS should immediately implement comprehensive mitigation strategies including strict input validation for all user-supplied parameters, implementation of anti-CSRF tokens in all state-changing operations, and proper enforcement of access controls to prevent directory traversal attacks. The most effective approach involves deploying web application firewalls that can detect and block suspicious request patterns, implementing robust session management protocols, and ensuring that all file system access operations are properly validated against legitimate user permissions. Regular security audits and penetration testing should be conducted to identify potential additional vulnerabilities that may exist within the broader application ecosystem.

The remediation process requires immediate patching of affected versions, with version 1.8.13 or later recommended to ensure complete protection against this vulnerability class. Additionally, organizations should review their existing security configurations and implement proper logging mechanisms to detect suspicious activities related to file access patterns and unauthorized requests that may indicate exploitation attempts. The combination of these defensive measures creates a multi-layered approach that addresses both the CSRF and path traversal aspects of this vulnerability while providing ongoing protection against similar threats that may emerge in the future.

Responsible

Patchstack

Reservation

06/25/2026

Disclosure

07/01/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sector

Hospital

Sources

Do you need the next level of professionalism?

Upgrade your account now!