Plattform
wordpress
Komponente
wp-travel-engine
Behoben in
6.6.8
CVE-2025-7526 describes an arbitrary file deletion vulnerability affecting the WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress. This vulnerability allows unauthenticated attackers to delete files on the server, potentially leading to remote code execution. The vulnerability impacts versions 0.0.0 through 6.6.7. A fix is expected from the vendor.
The primary impact of CVE-2025-7526 is the ability for an unauthenticated attacker to delete arbitrary files on a WordPress server. This is a severe risk because deleting critical configuration files, such as wp-config.php, can lead to complete compromise of the WordPress installation and remote code execution. An attacker could then gain full control over the server, steal sensitive data, or use it as a launchpad for further attacks. The ease of exploitation, combined with the potential for complete system takeover, makes this a high-priority vulnerability.
CVE-2025-7526 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet widely available, but the vulnerability's nature suggests it could be easily exploited. Given the potential for remote code execution, it is likely to become a target for malicious actors. The NVD was published on 2025-10-09.
Websites using the WP Travel Engine plugin, particularly those with default or weak file permissions, are at significant risk. Shared hosting environments are especially vulnerable as they often have limited control over server file permissions. Any WordPress site running versions 0.0.0 through 6.6.7 of the plugin is potentially exposed.
• wordpress / composer / npm:
grep -r 'set_user_profile_image' /var/www/html/wp-content/plugins/wp-travel-engine/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/wp-travel-engine/set_user_profile_image.php• wordpress / composer / npm:
wp plugin list --status=all | grep 'wp-travel-engine'disclosure
Exploit-Status
EPSS
1.30% (80% Perzentil)
CISA SSVC
CVSS-Vektor
The immediate mitigation for CVE-2025-7526 is to upgrade the WP Travel Engine plugin to a version that addresses the vulnerability. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider restricting file permissions on the WordPress server to limit the attacker's ability to delete files. Implement a Web Application Firewall (WAF) with rules to block suspicious file deletion attempts. Monitor WordPress logs for unusual file access or deletion activity. After upgrading, confirm the fix by attempting to access a restricted file via the vulnerable endpoint and verifying that access is denied.
Actualice el plugin WP Travel Engine – Tour Booking Plugin – Tour Operator Software a la última versión disponible para solucionar la vulnerabilidad de eliminación arbitraria de archivos. Verifique las actualizaciones disponibles en el panel de administración de WordPress o en el repositorio de plugins de WordPress. Asegúrese de realizar una copia de seguridad completa del sitio antes de actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-7526 is a CRITICAL vulnerability in the WP Travel Engine plugin for WordPress allowing unauthenticated attackers to delete arbitrary files, potentially leading to remote code execution.
If your WordPress site uses the WP Travel Engine plugin and is running version 0.0.0 through 6.6.7, you are potentially affected by this vulnerability.
Upgrade the WP Travel Engine plugin to a patched version as soon as possible. If upgrading is not immediately feasible, implement temporary mitigations like restricting file permissions and using a WAF.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests it is likely to become a target for malicious actors.
Refer to the vendor's website or WordPress plugin repository for the official advisory and updated version information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.