WordPress Plugin Vulnerabilities

VikBooking Hotel Booking Engine & PMS < 1.5.8 - Admin+ PHP File Upload

Description

The plugin does not properly validate images, allowing high privilege users such as administrators to upload PHP files disguised as images and containing malicious PHP code

Proof of Concept

Affects Plugins

Plugin icon
vikbooking
Fixed in 1.5.8

References

CVE
CVE-2022-1409

Miscellaneous

Original Researcher
Gabriel3476
Submitter
Gabriel3476
Submitter website
https://github.com/Gabriel3476/
Verified
Yes
WPVDB ID
1330f8f7-4a59-4e9d-acae-21656a4101fe

Timeline

Publicly Published
2022-04-21 (about 3 years ago)
Added
2022-04-21 (about 3 years ago)
Last Updated
2022-04-22 (about 3 years ago)

Other

Published
Title
Published
2024-10-17
Title
Sovratec Case Management <= 1.0.0 - Unauthenticated Arbitrary File Upload
Published
2023-09-04
Title
Export Import Menus < 1.9.0 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2025-07-22
Title
ReachShip WooCommerce Multi-Carrier & Conditional Shipping < 4.3.2 - Authenticated (Contributor+) Arbitrary File Upload
Published
2024-01-17
Title
Unlimited Addons for WPBakery Page Builder <= 1.0.42 - Authenticated (Editor+) Arbitrary File Upload
Published
2023-08-22
Title
Jupiter X Core Premium < 3.3.8 - Unauthenticated Arbitrary File Upload