CVE-2025-7526

Critical

Published: 09 October 2025

Published

09 October 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0164 82.1th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7526 is a critical-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of information inputs like file paths to prevent path traversal exploits enabling arbitrary file deletion.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of flaws such as insufficient file path validation in vulnerable plugins.

SI-4 System Monitoring partial match

detect

Enables real-time monitoring of the system to identify unauthorized file deletions indicative of active exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

Why these techniques?

T1190: Unauthenticated remote exploitation of a public-facing WordPress plugin. T1070.004: Enables arbitrary file deletion via path traversal, facilitating indicator removal.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to arbitrary file deletion (via renaming) due to insufficient file path validation in the set_user_profile_image function in all versions up to, and including,…

6.6.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Deeper analysisAI

CVE-2025-7526 is a critical vulnerability in the WP Travel Engine – Tour Booking Plugin – Tour Operator Software for WordPress, affecting all versions up to and including 6.6.7. It enables arbitrary file deletion via renaming due to insufficient file path validation in the set_user_profile_image function. The issue is classified under CWE-22 (path traversal) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, and no privileges or user interaction required.

Unauthenticated attackers can exploit this vulnerability remotely to delete arbitrary files on the server. By targeting critical files such as wp-config.php, exploitation can easily escalate to remote code execution, potentially compromising the entire WordPress installation.

Advisories provide insight into the vulnerability through source code references and threat intelligence. The WordPress plugin trac at line 512 in class-wp-travel-engine-form-handler.php (version 6.5.6) highlights the flawed validation, while the Wordfence threat intel page details the issue for further analysis and mitigation guidance.