CVE-2025-7526 is a critical security vulnerability classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, or Path Traversal) found in the WP Travel Engine – Tour Booking Plugin for WordPress. This plugin, widely used by tour operators to manage bookings, suffers from insufficient validation of file paths in the set_user_profile_image function. Specifically, the vulnerability allows an unauthenticated attacker to manipulate file paths to delete arbitrary files on the server by exploiting the path traversal flaw. Because the plugin does not properly restrict or sanitize the input paths, attackers can traverse directories and target sensitive files such as wp-config.php, which contains database credentials and other critical configuration data. Deleting or tampering with such files can lead to remote code execution, allowing attackers to gain full control over the affected WordPress instance and potentially the underlying server. The vulnerability affects all versions up to and including 6.6.7, with no known patches available at the time of disclosure. The CVSS v3.1 base score is 9.8, indicating a critical severity level due to the vulnerability's network accessibility (AV:N), lack of required privileges (PR:N), no user interaction needed (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no exploits have been observed in the wild yet, the ease of exploitation and potential impact make this a high-risk threat. Organizations using this plugin should consider immediate mitigation steps to prevent exploitation.

For European organizations, the impact of CVE-2025-7526 can be severe. Many tourism-related businesses in Europe rely on WordPress plugins like WP Travel Engine for managing bookings and customer interactions. Exploitation of this vulnerability could lead to unauthorized deletion of critical files, resulting in website downtime, loss of customer data, and exposure of sensitive configuration information. This can disrupt business operations, damage reputation, and lead to financial losses. Furthermore, successful remote code execution could allow attackers to deploy malware, conduct further lateral movement within the network, or exfiltrate data. Given the criticality and ease of exploitation, organizations face a high risk of compromise, especially those with publicly accessible WordPress sites that have not applied mitigations. The tourism sector, which is vital to many European economies, could be particularly affected, impacting both service providers and their customers.

1. Immediate upgrade: Monitor for official patches or updates from the WP Travel Engine plugin developers and apply them as soon as they become available. 2. Temporary workaround: Restrict access to the vulnerable function by implementing web application firewall (WAF) rules that block suspicious requests attempting path traversal patterns targeting the set_user_profile_image function. 3. File system permissions: Harden file system permissions to prevent the web server user from deleting or modifying critical files such as wp-config.php. 4. Input validation: If custom code is used, implement strict validation and sanitization of all file path inputs to prevent traversal sequences (e.g., ../). 5. Monitoring and logging: Enable detailed logging of file operations and monitor for unusual deletion or modification activities. 6. Backup: Ensure regular, secure backups of WordPress sites and configuration files to enable rapid recovery in case of compromise. 7. Network segmentation: Isolate WordPress servers from critical internal systems to limit the impact of a potential breach. 8. Incident response readiness: Prepare incident response plans specifically addressing web application compromises and file deletion attacks.