The vulnerability allows an attacker to rename any file on the server by submitting a crafted request to the set_user_profile_image function in the WP Travel Engine – Tour Booking Plugin. The insufficient path validation means the function accepts any relative or absolute path, resulting in arbitrary file deletion when the rename target is an existing file. Deletion of critical configuration files such as wp-config.php can directly lead to remote code execution, so the impact includes loss of confidentiality, integrity, and availability. The weakness maps to CWE‑22: Path Traversal.

All installations of the WP Travel Engine – Tour Booking Plugin – Tour Operator Software with versions up to and including 6.6.7 are affected. The plugin is used within WordPress sites that host travel booking functionality. No versions newer than 6.6.7 provide a fix as of the last public update.

The base scoring shows a CVSS score of 9.8, indicating critical severity. The EPSS of 1% signals that while the probability of exploitation is low, the risk is not insignificant due to the high impact. The vulnerability is not listed in the CISA KEV catalog, but its potential for remote code execution makes it a high‑priority issue. An attacker could trigger the deletion by issuing a crafted HTTP request to the plugin’s endpoint; authentication may be required depending on site configuration, but unauthenticated users can often invoke the function to delete files via the WordPress media library workflow. The deletion can be performed without additional privileges once the attacker reaches the image upload process.