CVE-2025-7526
Published: 09 October 2025
Summary
CVE-2025-7526 is a critical-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to arbitrary file deletion via insufficient path validation in the set_user_profile_image function. This affects all versions through 6.6.7 and is tracked as CWE-22 with a CVSS 3.1 score of 9.8.
Unauthenticated attackers can exploit the flaw over the network to delete arbitrary files on the server, including wp-config.php, which readily enables remote code execution.
The referenced Wordfence advisory and plugin source listing confirm the affected code path but do not detail specific mitigation steps beyond the version range.
EPSS remains flat at 0.0222 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-33238
Vulnerability details
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to arbitrary file deletion (via renaming) due to insufficient file path validation in the set_user_profile_image function in all versions up to, and including,…
more
6.6.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
T1190: Unauthenticated remote exploitation of a public-facing WordPress plugin. T1070.004: Enables arbitrary file deletion via path traversal, facilitating indicator removal.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of information inputs like file paths to prevent path traversal exploits enabling arbitrary file deletion.
Mandates identification, reporting, and correction of flaws such as insufficient file path validation in vulnerable plugins.
Enables real-time monitoring of the system to identify unauthorized file deletions indicative of active exploitation.