WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.6.7 - Authenticated (Subscriber+) Arbitrary File Deletion via File Renaming
traduction en cours…Plateforme
wordpress
Composant
wp-travel-engine
Corrigé dans
6.6.8
CVE-2025-7526 describes an arbitrary file deletion vulnerability affecting the WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress. This vulnerability allows unauthenticated attackers to delete files on the server, potentially leading to remote code execution. The vulnerability impacts versions 0.0.0 through 6.6.7. A fix is expected from the vendor.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Impact et Scénarios d'Attaquetraduction en cours…
The primary impact of CVE-2025-7526 is the ability for an unauthenticated attacker to delete arbitrary files on a WordPress server. This is a severe risk because deleting critical configuration files, such as wp-config.php, can lead to complete compromise of the WordPress installation and remote code execution. An attacker could then gain full control over the server, steal sensitive data, or use it as a launchpad for further attacks. The ease of exploitation, combined with the potential for complete system takeover, makes this a high-priority vulnerability.
Contexte d'Exploitationtraduction en cours…
CVE-2025-7526 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet widely available, but the vulnerability's nature suggests it could be easily exploited. Given the potential for remote code execution, it is likely to become a target for malicious actors. The NVD was published on 2025-10-09.
Qui Est à Risquetraduction en cours…
Websites using the WP Travel Engine plugin, particularly those with default or weak file permissions, are at significant risk. Shared hosting environments are especially vulnerable as they often have limited control over server file permissions. Any WordPress site running versions 0.0.0 through 6.6.7 of the plugin is potentially exposed.
Étapes de Détectiontraduction en cours…
• wordpress / composer / npm:
grep -r 'set_user_profile_image' /var/www/html/wp-content/plugins/wp-travel-engine/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/wp-travel-engine/set_user_profile_image.php• wordpress / composer / npm:
wp plugin list --status=all | grep 'wp-travel-engine'Chronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
1.30% (percentile 80%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Aucun — sans authentification. Aucune identifiant requis pour exploiter.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Informations sur le paquet
- Installations actives
- 20KConnu
- Note du plugin
- 4.9
- Nécessite WordPress
- 5.8+
- Compatible jusqu'à
- 6.9.4
- Nécessite PHP
- 7.4+
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The immediate mitigation for CVE-2025-7526 is to upgrade the WP Travel Engine plugin to a version that addresses the vulnerability. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider restricting file permissions on the WordPress server to limit the attacker's ability to delete files. Implement a Web Application Firewall (WAF) with rules to block suspicious file deletion attempts. Monitor WordPress logs for unusual file access or deletion activity. After upgrading, confirm the fix by attempting to access a restricted file via the vulnerable endpoint and verifying that access is denied.
Comment corrigertraduction en cours…
Actualice el plugin WP Travel Engine – Tour Booking Plugin – Tour Operator Software a la última versión disponible para solucionar la vulnerabilidad de eliminación arbitraria de archivos. Verifique las actualizaciones disponibles en el panel de administración de WordPress o en el repositorio de plugins de WordPress. Asegúrese de realizar una copia de seguridad completa del sitio antes de actualizar.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2025-7526 — Arbitrary File Access in WP Travel Engine?
CVE-2025-7526 is a CRITICAL vulnerability in the WP Travel Engine plugin for WordPress allowing unauthenticated attackers to delete arbitrary files, potentially leading to remote code execution.
Am I affected by CVE-2025-7526 in WP Travel Engine?
If your WordPress site uses the WP Travel Engine plugin and is running version 0.0.0 through 6.6.7, you are potentially affected by this vulnerability.
How do I fix CVE-2025-7526 in WP Travel Engine?
Upgrade the WP Travel Engine plugin to a patched version as soon as possible. If upgrading is not immediately feasible, implement temporary mitigations like restricting file permissions and using a WAF.
Is CVE-2025-7526 being actively exploited?
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests it is likely to become a target for malicious actors.
Where can I find the official WP Travel Engine advisory for CVE-2025-7526?
Refer to the vendor's website or WordPress plugin repository for the official advisory and updated version information.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.