Security Alert Summary
The WP Travel Pro plugin contains a vulnerability that allows unauthenticated attackers to delete arbitrary user accounts via a REST API endpoint. The issue stems from missing permission checks and lack of role validation when deleting users, and affects all versions up to and including 10.6.0.
CVE Details
- CVE ID: CVE-2026-4290
- Affected component: WP Travel Pro plugin for WordPress
- Affected versions: All versions up to and including 10.6.0
- Published: May 29, 2026 at 3:16:24 PM UTC
- Last modified: May 29, 2026 at 3:39:34 PM UTC
- CVSS v3.1: Base Score 9.1, Severity CRITICAL, Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H - Authentication / privileges / user interaction: No authentication required (PR:N), no user interaction required (UI:N)
- Primary impact: Confidentiality: None; Integrity: High; Availability: High
- Weakness: CWE-862 (Missing Authorization)
Technical Details
The vulnerability exists in the WP Travel Pro plugin REST API endpoint /wp-json/wp-travel/v1/travel-guide/{user_id}. The plugin registers a permission callback named check_permission() that unconditionally returns true, and the Database::delete() method passes the supplied user ID directly to wp_delete_user() without validating the target user’s role. Because the permission callback does not restrict access, unauthenticated requests can reach the delete code path and cause deletion of arbitrary users, including administrator accounts.
The impact is deletion of user accounts (integrity and availability impact). There is no CVE data indicating direct disclosure of confidential data from this vulnerability.
How This Could Impact Your Website
Consider a scenario where a site owner, several internal staff members (editors or authors), and an external contractor have accounts on a WordPress site using WP Travel Pro. An unauthenticated attacker could send requests to the plugin REST endpoint to delete selected user accounts. If administrator or editor accounts are removed, the site owner and staff may lose administrative access, workflow can be interrupted, and content management tasks may be blocked until accounts are restored.
Although this vulnerability does not indicate direct data disclosure, the resulting operational disruption can increase the risk of successful social engineering or targeted phishing attempts against staff while the site is recovering. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Immediately review and reduce unnecessary user roles, especially users with elevated privileges such as administrators and editors.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from the site.
- Monitor site activity and user account changes for unusual behavior; keep recent backups before making changes.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
