CVE-2025-7526 is a critical security vulnerability classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, commonly known as path traversal) affecting the WP Travel Engine – Tour Booking Plugin for WordPress. The flaw exists in the set_user_profile_image function, where insufficient validation of file paths allows an attacker to manipulate the pathname to delete arbitrary files on the server by renaming operations. Since the vulnerability is exploitable without authentication or user interaction, an attacker can remotely trigger file deletions, including sensitive files such as wp-config.php, which contains database credentials and configuration settings. Deleting such files can lead to remote code execution by enabling attackers to upload malicious files or disrupt the application’s normal operation, potentially gaining full control over the affected server. The vulnerability affects all versions up to and including 6.6.7 of the plugin. The CVSS v3.1 base score is 9.8 (critical), reflecting the high impact on confidentiality, integrity, and availability, combined with the ease of exploitation (network vector, no privileges required, no user interaction). Although no known exploits are currently reported in the wild, the severity and simplicity of exploitation make this a significant threat to WordPress sites using this plugin.

The impact of CVE-2025-7526 is severe for organizations using the WP Travel Engine plugin. Successful exploitation can lead to arbitrary file deletion, which may disrupt website functionality, cause data loss, and compromise server integrity. Deletion of critical files like wp-config.php can enable attackers to execute arbitrary code remotely, potentially leading to full server takeover, data breaches, defacement, or use of the server as a pivot point for further attacks. This can result in downtime, loss of customer trust, regulatory penalties, and financial losses. Since WordPress powers a significant portion of the web, and this plugin is used by tour operators and travel agencies, the threat affects both small businesses and larger enterprises in the travel sector. The unauthenticated nature of the exploit increases the risk of widespread automated attacks and exploitation by opportunistic threat actors.

1. Immediate upgrade to a patched version of the WP Travel Engine plugin once released by the vendor. Monitor official channels for patch announcements. 2. In the absence of an official patch, implement a Web Application Firewall (WAF) with custom rules to detect and block path traversal attempts targeting the set_user_profile_image function or related endpoints. 3. Restrict file system permissions for the WordPress installation to limit the plugin’s ability to delete critical files, ensuring the web server user has minimal privileges. 4. Regularly back up WordPress files and databases to enable quick recovery in case of file deletion or compromise. 5. Monitor server and application logs for suspicious file deletion activities or unusual requests targeting the vulnerable function. 6. Consider temporarily disabling or removing the WP Travel Engine plugin if immediate patching is not feasible and the risk is unacceptable. 7. Employ intrusion detection systems to alert on anomalous file system changes. 8. Educate administrators on the risks and signs of exploitation to enable rapid incident response.