CVE-2026-4290

Vulnerability

The WP Travel Pro plugin for WordPress, versions up to and including 10.6.0, contains a critical authorization flaw in the REST API endpoint /wp-json/wp-travel/v1/travel-guide/{user_id}. The check_permission() callback unconditionally returns true, and the Database::delete() method passes the user ID directly to wp_delete_user() without any role validation. This allows unauthenticated attackers to delete arbitrary user accounts [1].

Exploitation

An attacker can exploit this vulnerability by sending a DELETE request to the /wp-json/wp-travel/v1/travel-guide/{user_id} endpoint with a valid user ID. No authentication or special privileges are required. The attacker simply needs network access to the WordPress site. The request triggers the deletion of the specified user account without any permission checks.

Impact

Successful exploitation allows an unauthenticated attacker to delete any user account on the WordPress site, including administrator accounts. This can lead to complete denial of service if all admin accounts are removed, or privilege escalation if the attacker deletes a lower-privileged account to cause disruption. The impact is severe as it compromises the integrity and availability of the site's user management.

Mitigation

As of the publication date, no official patch has been released. Users are advised to update to a version beyond 10.6.0 if available. In the absence of a patch, administrators can temporarily disable the vulnerable REST API endpoint by adding custom code to block requests to /wp-json/wp-travel/v1/travel-guide/ or implement proper permission checks via a custom plugin. The vendor's website [1] may provide updates.