CVE-2026-4290

PUBLISHED
Published: 29 May 2026, 14:29
Last modified:29 May 2026, 14:29

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.1 CRITICAL
v3.1 (cve.org)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

29 May 2026, 14:29
Published
Vulnerability first disclosed

Description

The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. This is due to the check_permission() callback unconditionally returning true and the Database::delete() method passing the user ID directly to wp_delete_user() without any role validation. This makes it possible for unauthenticated attackers to delete arbitrary user accounts, including those of administrators.

CVSS Metrics

  • v3.1CRITICALScore: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Techniques & Countermeasures

  • CWE-862Missing Authorization

    The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Affected Systems

  • wptravelwp travel pro

    ≤ 10.6.0

References (2)