Arbitrary File Upload Vulnerability in Travel Booking Plugin by WordPress
CVE-2026-56059

9.9CRITICAL

Key Information:

Vendor

WordPress

Vendor
CVE Published:
26 June 2026

What is CVE-2026-56059?

The Travel Booking plugin prior to version 2.2.5 contains a vulnerability that allows unauthorized users to upload arbitrary files, potentially leading to remote code execution and significant security risks. It is crucial for users of this plugin to update to a secure version to prevent exploitation and safeguard their WordPress sites.

Affected Version(s)

Travel Booking <= 2.2.5

References

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jamaal ahmed | Patchstack Bug Bounty Program
.