WP Travel Engine CVE-2025-7526: Arbitrary File Deletion Vulnerability – Brief Summary and Technical Review

This post provides a brief summary and technical review of CVE-2025-7526, a critical arbitrary file deletion vulnerability in the WP Travel Engine WordPress plugin up to version 6.6.7. It covers technical details, affected versions, vendor security history, and references for security professionals.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-08

WP Travel Engine CVE-2025-7526: Arbitrary File Deletion Vulnerability – Brief Summary and Technical Review
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers can delete critical files on any WordPress site running vulnerable versions of WP Travel Engine, potentially leading to full site takeover and remote code execution. With over 10,000 active installations, this issue directly impacts travel operators and booking platforms worldwide.

WP Travel Engine is a specialized WordPress plugin designed for tour operators and travel agencies. It powers booking and itinerary management for thousands of travel industry websites. The plugin's broad adoption in the tourism sector means vulnerabilities can have immediate and far-reaching operational and data security consequences.

Technical Information

CVE-2025-7526 is an arbitrary file deletion vulnerability in the WP Travel Engine plugin for WordPress. The flaw exists in the set_user_profile_image function located in includes/dashboard/class-wp-travel-engine-form-handler.php (see source). This function is responsible for handling user profile image uploads and management. In all versions up to and including 6.6.7, it fails to properly validate the file path provided by the user.

The root cause is insufficient sanitization of user-supplied file paths. Attackers can supply path traversal sequences such as ../ to escape the intended directory and target arbitrary files elsewhere on the server. The vulnerable function performs a file rename operation, which can be abused to delete files outside the intended upload directory. This is a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) vulnerability (CWE-22).

If an attacker deletes wp-config.php, WordPress will present the installation wizard on the next visit, allowing the attacker to reconfigure the site with their own credentials and gain full administrative access. Other targets could include .htaccess or plugin files, further weakening site security.

The vulnerability is exploitable without authentication. Attackers can craft HTTP requests to the affected endpoint with malicious file path parameters, making this issue highly accessible for mass exploitation.

Affected Systems and Versions

  • WP Travel Engine – Tour Booking Plugin – Tour Operator Software for WordPress
  • All versions up to and including 6.6.7
  • No authentication required for exploitation
  • All configurations using the vulnerable plugin versions are affected

Vendor Security History

WP Travel Engine has experienced multiple critical vulnerabilities in recent years. Notably:

  • CVE-2025-30871: Local File Inclusion in versions up to 6.3.5 (details, Wordfence advisory)
  • Access control and file handling issues have been reported in other security advisories

These repeated issues indicate ongoing challenges with secure coding practices and input validation in the plugin's development lifecycle.

References

Detect & fix
what others miss