CVE-2025-7526: 
WordPress vulnerability analysis and mitigation

The WP Travel Engine WordPress plugin (versions up to 6.6.7) contains a critical vulnerability (CVE-2025-7526) discovered on October 8, 2025. This security flaw allows unauthenticated attackers to perform arbitrary file deletion through file renaming operations due to insufficient file path validation in the setuserprofile_image function (NVD, Wordfence).

The vulnerability stems from improper validation of file paths in the setuserprofile_image function within the plugin's form handler class. The function, located at line 512 of class-wp-travel-engine-form-handler.php, allows for arbitrary file renaming operations that can be exploited to delete files on the server. The vulnerability has been assigned a CVSS v3.1 score of 9.8 (CRITICAL) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its severe nature (NVD).

The vulnerability can lead to arbitrary file deletion on the server, which could result in severe consequences. Most critically, attackers could potentially delete crucial files such as wp-config.php, leading to remote code execution opportunities. This poses a significant risk to the integrity and security of affected WordPress installations (NVD).

Website administrators running the WP Travel Engine plugin should immediately update to a version newer than 6.6.7 if available. Until an update can be applied, it is recommended to implement additional security measures such as web application firewalls and to monitor for any suspicious file system activities (NVD).