A critical vulnerability has been identified in multiple products from The WP Travel Engine, specifically affecting their WordPress plugins. This flaw allows an attacker to delete arbitrary files on the server, which could lead to a complete website outage, data loss, or potentially a full system compromise. Due to the high severity of this vulnerability, immediate action is required to prevent exploitation.

The vulnerability exists within a function of the plugin responsible for file operations. Due to insufficient validation of user-supplied file paths, an authenticated or unauthenticated attacker (depending on the function's access level) can use path traversal techniques (e.g., ../../..) to target and rename critical system files outside of the intended directory. By renaming a core file like wp-config.php or .htaccess, the attacker effectively deletes it from its required location, which can disable the website, trigger a WordPress re-installation process, or remove crucial security configurations.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a significant and immediate threat to the organization. Successful exploitation could result in a severe denial-of-service condition, making the website and associated services completely unavailable. This could lead to direct revenue loss, reputational damage, and a loss of customer trust. Furthermore, if an attacker successfully deletes wp-config.php, they may be able to initiate a new WordPress setup process and gain administrative control over the website, leading to a full compromise of sensitive data and the underlying server.

Immediate Action: Immediately apply the security patches provided by the vendor. Update The WP Travel Engine Multiple Products to the latest, secure version across all relevant web assets. After patching, review web server and application logs for any signs of exploitation attempts that may have occurred prior to the update.

Proactive Monitoring: Implement continuous monitoring of web server access logs for suspicious POST or GET requests targeting the plugin's endpoints, specifically looking for path traversal sequences (../, %2e%2e%2f). Utilize a File Integrity Monitoring (FIM) solution to alert on any unauthorized changes, renames, or deletions of critical WordPress core files.

Compensating Controls: If immediate patching is not feasible, consider implementing a Web Application Firewall (WAF) with rules designed to block path traversal attacks. As a temporary measure, disabling the vulnerable plugin would mitigate the risk, but this may impact business functionality. Additionally, ensure web server file permissions are hardened to prevent the web process user from writing to or deleting files outside of its designated directories.

Public Exploit Available: false

Given the critical severity of this vulnerability, immediate patching is the highest priority. All systems running the affected WP Travel Engine products must be updated without delay. Although this CVE is not currently listed on the CISA KEV catalog, its high impact score makes it a prime candidate for future inclusion and an attractive target for attackers. Organizations should treat this as an active threat and escalate remediation efforts accordingly.