Home

Description

The WP Travel Engine WordPress plugin before 6.8.1 does not properly validate the source of a user-supplied profile image path before moving the file, allowing authenticated users with subscriber-level access and above to relocate arbitrary files within the WordPress uploads directory into their own profile-image path. This removes the targeted media from its original location and can break content across the site.

PUBLISHED Reserved 2026-06-04 | Published 2026-07-07 | Updated 2026-07-09 | Assigner WPScan

Problem types

CWE-73 External Control of File Name or Path

Product status

Default status
unaffected

Any version before 6.8.1
affected

Credits

marim00 finder

WPScan coordinator

References

wpscan.com/...rability/5b939f98-0fbd-4f89-9948-77dbcc67f9d3/ exploit vdb-entry technical-description

cve.org (CVE-2026-10834)

nvd.nist.gov (CVE-2026-10834)

Download JSON