CVE-2026-4290
Deferred Deferred - Pending Action
Arbitrary User Deletion in WP Travel Pro WordPress Plugin

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: Wordfence

Description
The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. This is due to the check_permission() callback unconditionally returning true and the Database::delete() method passing the user ID directly to wp_delete_user() without any role validation. This makes it possible for unauthenticated attackers to delete arbitrary user accounts, including those of administrators.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-4290
EUVD
EUVD-2026-33327
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wptravel wp_travel_pro to 10.6.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to delete arbitrary user accounts, including administrators, due to improper permission checks in the WP Travel Pro plugin. This unauthorized deletion of user data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over user data access and integrity.

Specifically, GDPR mandates protection of personal data against accidental or unlawful destruction, loss, or alteration. The ability for attackers to delete user accounts arbitrarily violates these principles, potentially resulting in data loss and failure to maintain data integrity and availability.

Similarly, HIPAA requires safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). Unauthorized deletion of user accounts could compromise these safeguards, leading to regulatory violations.

Impact Analysis

This vulnerability can have severe impacts as it allows attackers to delete any user account on the affected WordPress site without authentication. This includes administrator accounts, which could lead to complete loss of control over the website, disruption of services, data loss, and potential further exploitation.

Executive Summary

The WP Travel Pro plugin for WordPress has a vulnerability that allows unauthenticated attackers to delete arbitrary user accounts, including administrators. This happens because the REST API endpoint /wp-json/wp-travel/v1/travel-guide/{user_id} uses a permission check that always returns true, and the user ID is passed directly to the deletion function without verifying the user's role.

Mitigation Strategies

The vulnerability exists in all versions of the WP Travel Pro plugin up to and including 10.6.0, allowing unauthenticated attackers to delete arbitrary user accounts via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint.

Immediate mitigation steps include updating the WP Travel Pro plugin to a version later than 10.6.0 where this vulnerability is fixed.

If an update is not immediately possible, consider disabling or restricting access to the vulnerable REST API endpoint to prevent unauthorized user deletions.

Additionally, review user accounts for any suspicious deletions and ensure backups are available to restore any lost accounts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4290. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart