CVE Catalog
CVE-2026-56059
CriticalCVSS 9.9Summary
In the Travel Booking plugin version 2.2.5 and earlier, a vulnerability was found that allows a subscriber-level user to upload arbitrary files to the server. This flaw can be exploited to upload malicious software.
Risk Assessment
An attacker with low privileges can upload dangerous files, potentially leading to server compromise or data theft.
Recommendation
Immediately update the Travel Booking plugin to the latest available version and restrict user permissions to the minimum necessary.
Original NVD description (English source)
Subscriber Arbitrary File Upload in Travel Booking <= 2.2.5 versions.

