WordPress Plugin Vulnerabilities

WP Travel Engine – Tour Booking Plugin – Tour Operator Software < 6.6.8 - Authenticated (Subscriber+) Arbitrary File Deletion via File Renaming

Description

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to arbitrary file deletion (via renaming) due to insufficient file path validation in the set_user_profile_image function in all versions up to, and including, 6.6.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Affects Plugins

Plugin icon
wp-travel-engine
Fixed in 6.6.8

References

CVE
CVE-2025-7526
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c754d957-26a8-4fef-a487-96d566c2dc36

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
777b8d11-d3a9-4326-94bb-167e4135a036

Timeline

Publicly Published
2025-10-08 (about 7 months ago)
Added
2025-10-08 (about 7 months ago)
Last Updated
2025-10-09 (about 7 months ago)

Other

Published
Title
Published
2016-03-03
Title
epic Theme - Arbitrary File Download
Published
2021-06-09
Title
Motor theme < 3.1.0 - Unauthenticated Local File Inclusion
Published
2014-08-01
Title
WP Online Store 1.3.1 - index.php slug Parameter Traversal Local File Inclusion
Published
2024-10-14
Title
WordPress Gallery Plugin – Limb Image Gallery <= 1.5.7 - Authenticated (Subscriber+) Arbitrary File Download
Published
2026-04-01
Title
MW WP Form < 5.1.1 - Unauthenticated Arbitrary File Move via move_temp_file_to_upload_dir