CVE-2025-7526 | The WP Travel Engine – Tour Booking Plugin – Tour Operator S… | CVSS 9.8 CRITICAL

Description

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to arbitrary file deletion (via renaming) due to insufficient file path validation in the set_user_profile_image function in all versions up to, and including, 6.6.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Metadata

CVE ID: CVE-2025-7526
State: PUBLISHED
Assigner: Wordfence
Reserved: 2025-07-12 08:37 UTC
Published: 2025-10-09 05:23 UTC
Last updated: 2026-04-08 17:21 UTC
Primary CWE: CWE-22
CWE-22 Improper Limitation of a Pathname to a Restricted Dir…
Vendor / Product: wptravelengine / WP Travel Engine – Tour Booking Plugin – Tour Operator Software
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
wptravelengine	WP Travel Engine – Tour Booking Plugin – Tour Operator Software	—	0 ≤ 6.6.7

Weakness (CWE)

CWE	Source	Description
CWE-22	cna	CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)