CVE-2025-7526

CVE-2025-7526 is a critical vulnerability in the WP Travel Engine – Tour Booking Plugin – Tour Operator Software for WordPress, affecting all versions up to and including 6.6.7. It enables arbitrary file deletion via renaming due to insufficient file path validation in the set_user_profile_image function within the plugin's form handler. Classified under CWE-22 (Path Traversal), the issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction or privileges required. By manipulating file paths, they can delete arbitrary files on the server, potentially leading to remote code execution—for instance, by targeting critical files like wp-config.php to disrupt site functionality or enable further compromise.

Advisories and related resources, including the Wordfence threat intelligence report and the plugin's code repository on the WordPress Trac, provide details on the vulnerable code at line 512 in class-wp-travel-engine-form-handler.php. Security practitioners should consult these for patch information and mitigation guidance, such as updating to a fixed version if available.