Platform
wordpress
Component
wp-travel-engine
Fixed in
6.6.8
CVE-2025-7526 describes an arbitrary file deletion vulnerability affecting the WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress. This vulnerability allows unauthenticated attackers to delete files on the server, potentially leading to remote code execution. The vulnerability impacts versions 0.0.0 through 6.6.7. A fix is expected from the vendor.
The primary impact of CVE-2025-7526 is the ability for an unauthenticated attacker to delete arbitrary files on a WordPress server. This is a severe risk because deleting critical configuration files, such as wp-config.php, can lead to complete compromise of the WordPress installation and remote code execution. An attacker could then gain full control over the server, steal sensitive data, or use it as a launchpad for further attacks. The ease of exploitation, combined with the potential for complete system takeover, makes this a high-priority vulnerability.
CVE-2025-7526 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet widely available, but the vulnerability's nature suggests it could be easily exploited. Given the potential for remote code execution, it is likely to become a target for malicious actors. The NVD was published on 2025-10-09.
Exploit Status
EPSS
1.30% (80% percentile)
CISA SSVC
CVSS Vector
The immediate mitigation for CVE-2025-7526 is to upgrade the WP Travel Engine plugin to a version that addresses the vulnerability. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider restricting file permissions on the WordPress server to limit the attacker's ability to delete files. Implement a Web Application Firewall (WAF) with rules to block suspicious file deletion attempts. Monitor WordPress logs for unusual file access or deletion activity. After upgrading, confirm the fix by attempting to access a restricted file via the vulnerable endpoint and verifying that access is denied.
Update the WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin to the latest available version to address the arbitrary file deletion vulnerability. Check for updates in the WordPress admin panel or the WordPress plugin repository. Ensure you perform a full site backup before updating.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-7526 is a CRITICAL vulnerability in the WP Travel Engine plugin for WordPress allowing unauthenticated attackers to delete arbitrary files, potentially leading to remote code execution.
If your WordPress site uses the WP Travel Engine plugin and is running version 0.0.0 through 6.6.7, you are potentially affected by this vulnerability.
Upgrade the WP Travel Engine plugin to a patched version as soon as possible. If upgrading is not immediately feasible, implement temporary mitigations like restricting file permissions and using a WAF.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests it is likely to become a target for malicious actors.
Refer to the vendor's website or WordPress plugin repository for the official advisory and updated version information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.