Cyber Resilience

CVE-2025-7526

Critical

Published: 09 October 2025

Published
09 October 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0222 84.9th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7526 is a critical-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to arbitrary file deletion via insufficient path validation in the set_user_profile_image function. This affects all versions through 6.6.7 and is tracked as CWE-22 with a CVSS 3.1 score of 9.8.

Unauthenticated attackers can exploit the flaw over the network to delete arbitrary files on the server, including wp-config.php, which readily enables remote code execution.

The referenced Wordfence advisory and plugin source listing confirm the affected code path but do not detail specific mitigation steps beyond the version range.

EPSS remains flat at 0.0222 with no observed rise after disclosure.

EU & UK References

Vulnerability details

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to arbitrary file deletion (via renaming) due to insufficient file path validation in the set_user_profile_image function in all versions up to, and including,…

more

6.6.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

T1190: Unauthenticated remote exploitation of a public-facing WordPress plugin. T1070.004: Enables arbitrary file deletion via path traversal, facilitating indicator removal.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3666Shared CWE-22
CVE-2018-25308Shared CWE-22
CVE-2026-22460Shared CWE-22
CVE-2025-69377Shared CWE-22
CVE-2025-14850Shared CWE-22
CVE-2025-26752Shared CWE-22
CVE-2026-4350Shared CWE-22
CVE-2025-65792Shared CWE-22
CVE-2026-4758Shared CWE-22
CVE-2026-0704Shared CWE-22

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of information inputs like file paths to prevent path traversal exploits enabling arbitrary file deletion.

prevent

Mandates identification, reporting, and correction of flaws such as insufficient file path validation in vulnerable plugins.

detect

Enables real-time monitoring of the system to identify unauthorized file deletions indicative of active exploitation.

References