CVE-2026-4290
Deferred Deferred - Pending Action
Arbitrary User Deletion in WP Travel Pro WordPress Plugin

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: Wordfence

Description
The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. This is due to the check_permission() callback unconditionally returning true and the Database::delete() method passing the user ID directly to wp_delete_user() without any role validation. This makes it possible for unauthenticated attackers to delete arbitrary user accounts, including those of administrators.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-05-29
AI Q&A
2026-05-29
EPSS Evaluated
N/A
NVD
CVE-2026-4290
EUVD
EUVD-2026-33327
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wptravel wp_travel_pro to 10.6.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthenticated attackers to delete arbitrary user accounts, including administrators, due to improper permission checks in the WP Travel Pro plugin. This unauthorized deletion of user data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over user data access and integrity.

Specifically, GDPR mandates protection of personal data against accidental or unlawful destruction, loss, or alteration. The ability for attackers to delete user accounts arbitrarily violates these principles, potentially resulting in data loss and failure to maintain data integrity and availability.

Similarly, HIPAA requires safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). Unauthorized deletion of user accounts could compromise these safeguards, leading to regulatory violations.


How can this vulnerability impact me? :

This vulnerability can have severe impacts as it allows attackers to delete any user account on the affected WordPress site without authentication. This includes administrator accounts, which could lead to complete loss of control over the website, disruption of services, data loss, and potential further exploitation.


Can you explain this vulnerability to me?

The WP Travel Pro plugin for WordPress has a vulnerability that allows unauthenticated attackers to delete arbitrary user accounts, including administrators. This happens because the REST API endpoint /wp-json/wp-travel/v1/travel-guide/{user_id} uses a permission check that always returns true, and the user ID is passed directly to the deletion function without verifying the user's role.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart