๐Ÿ” CVE Alert

CVE-2026-10834

MEDIUM 4.6

WP Travel Engine < 6.8.1 - Subscriber+ Arbitrary Media File Move via user_profile_image

CVSS Score
4.6
EPSS Score
0.1%
EPSS Percentile
4th

The WP Travel Engine WordPress plugin before 6.8.1 does not properly validate the source of a user-supplied profile image path before moving the file, allowing authenticated users with subscriber-level access and above to relocate arbitrary files within the WordPress uploads directory into their own profile-image path. This removes the targeted media from its original location and can break content across the site.

Vendor unknown
Product wp travel engine
Published Jul 7, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for unknown wp travel engine

Be the first to know when new medium vulnerabilities affecting unknown wp travel engine are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Unknown / WP Travel Engine
0 < 6.8.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wpscan.com: https://wpscan.com/vulnerability/5b939f98-0fbd-4f89-9948-77dbcc67f9d3/

Credits

marim00 WPScan