Introduction
Attackers can delete critical files on any WordPress site running vulnerable versions of WP Travel Engine, potentially leading to full site takeover and remote code execution. With over 10,000 active installations, this issue directly impacts travel operators and booking platforms worldwide.
WP Travel Engine is a specialized WordPress plugin designed for tour operators and travel agencies. It powers booking and itinerary management for thousands of travel industry websites. The plugin's broad adoption in the tourism sector means vulnerabilities can have immediate and far-reaching operational and data security consequences.
Technical Information
CVE-2025-7526 is an arbitrary file deletion vulnerability in the WP Travel Engine plugin for WordPress. The flaw exists in the set_user_profile_image function located in includes/dashboard/class-wp-travel-engine-form-handler.php (see source). This function is responsible for handling user profile image uploads and management. In all versions up to and including 6.6.7, it fails to properly validate the file path provided by the user.
The root cause is insufficient sanitization of user-supplied file paths. Attackers can supply path traversal sequences such as ../ to escape the intended directory and target arbitrary files elsewhere on the server. The vulnerable function performs a file rename operation, which can be abused to delete files outside the intended upload directory. This is a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) vulnerability (CWE-22).
If an attacker deletes wp-config.php, WordPress will present the installation wizard on the next visit, allowing the attacker to reconfigure the site with their own credentials and gain full administrative access. Other targets could include .htaccess or plugin files, further weakening site security.
The vulnerability is exploitable without authentication. Attackers can craft HTTP requests to the affected endpoint with malicious file path parameters, making this issue highly accessible for mass exploitation.
Affected Systems and Versions
- WP Travel Engine – Tour Booking Plugin – Tour Operator Software for WordPress
- All versions up to and including 6.6.7
- No authentication required for exploitation
- All configurations using the vulnerable plugin versions are affected
Vendor Security History
WP Travel Engine has experienced multiple critical vulnerabilities in recent years. Notably:
- CVE-2025-30871: Local File Inclusion in versions up to 6.3.5 (details, Wordfence advisory)
- Access control and file handling issues have been reported in other security advisories
These repeated issues indicate ongoing challenges with secure coding practices and input validation in the plugin's development lifecycle.
