The WP Travel Engine plugin for WordPress has a security issue in versions up to 6.3.5. This means that hackers with contributor-level or higher access can include and run any files on the server, which could contain harmful code. This can lead to bypassing security measures, accessing private information, or even executing code. This vulnerability can be exploited by uploading seemingly harmless files, like images.