VikBooking Hotel Booking Engine & PMS < 1.7.3 – Cross-Site Request Forgery to Authenticated (Subscriber+) Arbitrary File Upload | CVE 2024-11641 | Plugin Vulnerabilities

Description

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.2. This is due to missing or incorrect nonce validation on the 'save' function. This makes it possible for unauthenticated attackers to change plugin access privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows attackers with subscriber-level privileges and above to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Fixed in 1.7.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/6eb6611d-7a4b-4ca8-b9cc-c156437e89b5

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Noah Stead (TurtleBurg)

Verified

No

WPVDB ID

90bc20ba-3c91-4240-8af9-d572378cc3ea

Timeline

Publicly Published

2025-01-25 (about 1 year ago)

Added

2025-01-25 (about 1 year ago)

Last Updated

2025-01-26 (about 1 year ago)

Other

Published

Title

Published

2022-09-01

Title

GetResponse < 5.5.21 - API Key Update via CSRF

Published

2024-11-15

Title

EleForms – All In One Form Integration including DB for Elementor <= 2.9.9.9 - Cross-Site Request Forgery

Published

2024-07-01

Title

Community Events < 1.5 - Event Deletion via CSRF

Published

2024-12-12

Title

LionScripts: Site Maintenance & Noindex Nofollow Plugin <= 2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2026-04-21

Title

WP Responsive Popup + Optin <= 1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'wpo_image_url' Parameter