[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-4290":6},{"stargazers_count":4,"fetched_at":5},6,"2026-05-29T19:18:53.716Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":229,"aliases":230,"duplicate_of":9,"upstream":231,"downstream":232,"duplicates":233,"related":234,"reserved_at":9,"published_at":235,"modified_at":235,"state":236,"summary":237,"references_raw":244,"kevs":253,"epss":9,"epss_history":254,"metrics":255,"affected":261},"CVE-2026-4290","The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. This is due to the check_permission() callback unconditionally returning true and the Database::delete() method passing the user ID directly to wp_delete_user() without any role validation. This makes it possible for unauthenticated attackers to delete arbitrary user accounts, including those of administrators.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-862","Missing Authorization","The product does not perform an authorization check when an actor attempts to access a resource or perform an action.","weakness","Incomplete","Class","High",[20],{"id":21,"name":22,"techniques":23},"CAPEC-665","Exploitation of Thunderbolt Protection Flaws",[24,61,101],{"id":25,"name":26,"tactics":27,"countermeasures":34},"T1211","Exploitation for Stealth",[28,31],{"id":29,"name":30},"TA0030","Defense Evasion",{"id":32,"name":33},"TA0005","Stealth",[35,40,44,48,53,57],{"id":36,"name":37,"tactic":38},"D3-MBT","Memory Boundary Tracking",{"name":39},"Detect",{"id":41,"name":42,"tactic":43},"D3-PCSV","Process Code Segment Verification",{"name":39},{"id":45,"name":46,"tactic":47},"D3-SSC","Shadow Stack Comparisons",{"name":39},{"id":49,"name":50,"tactic":51},"D3-PSEP","Process Segment Execution Prevention",{"name":52},"Harden",{"id":54,"name":55,"tactic":56},"D3-SAOR","Segment Address Offset Randomization",{"name":52},{"id":58,"name":59,"tactic":60},"D3-SFCV","Stack Frame Canary Validation",{"name":52},{"id":62,"name":63,"tactics":64,"countermeasures":70},"T1542.002","Component Firmware",[65,66,67],{"id":29,"name":30},{"id":32,"name":33},{"id":68,"name":69},"TA0110","Persistence",[71,76,80,84,88,92,96],{"id":72,"name":73,"tactic":74},"D3-SWI","Software Inventory",{"name":75},"Model",{"id":77,"name":78,"tactic":79},"D3-AVE","Asset Vulnerability Enumeration",{"name":75},{"id":81,"name":82,"tactic":83},"D3-FEMC","Firmware Embedded Monitoring Code",{"name":39},{"id":85,"name":86,"tactic":87},"D3-FV","Firmware Verification",{"name":39},{"id":89,"name":90,"tactic":91},"D3-FBA","Firmware Behavior Analysis",{"name":39},{"id":93,"name":94,"tactic":95},"D3-SU","Software Update",{"name":52},{"id":97,"name":98,"tactic":99},"D3-RS","Restore Software",{"name":100},"Restore",{"id":102,"name":103,"tactics":104,"countermeasures":113},"T1556","Modify Authentication Process",[105,106,109,110],{"id":29,"name":30},{"id":107,"name":108},"TA0112","Defense Impairment",{"id":68,"name":69},{"id":111,"name":112},"TA0031","Credential Access",[114,118,122,126,130,134,138,142,146,150,155,159,163,167,171,176,180,184,188,193,197,201,205,209,213,217,221,225],{"id":115,"name":116,"tactic":117},"D3-CI","Configuration Inventory",{"name":75},{"id":119,"name":120,"tactic":121},"D3-NTPM","Network Traffic Policy Mapping",{"name":75},{"id":123,"name":124,"tactic":125},"D3-AM","Access Modeling",{"name":75},{"id":127,"name":128,"tactic":129},"D3-FA","File Analysis",{"name":39},{"id":131,"name":132,"tactic":133},"D3-FIM","File Integrity Monitoring",{"name":39},{"id":135,"name":136,"tactic":137},"D3-PLA","Process Lineage Analysis",{"name":39},{"id":139,"name":140,"tactic":141},"D3-PSMD","Process Self-Modification Detection",{"name":39},{"id":143,"name":144,"tactic":145},"D3-PSA","Process Spawn Analysis",{"name":39},{"id":147,"name":148,"tactic":149},"D3-SFA","System File Analysis",{"name":39},{"id":151,"name":152,"tactic":153},"D3-FEV","File Eviction",{"name":154},"Evict",{"id":156,"name":157,"tactic":158},"D3-PT","Process Termination",{"name":154},{"id":160,"name":161,"tactic":162},"D3-PS","Process Suspension",{"name":154},{"id":164,"name":165,"tactic":166},"D3-HR","Host Reboot",{"name":154},{"id":168,"name":169,"tactic":170},"D3-HS","Host Shutdown",{"name":154},{"id":172,"name":173,"tactic":174},"D3-DF","Decoy File",{"name":175},"Deceive",{"id":177,"name":178,"tactic":179},"D3-FE","File Encryption",{"name":52},{"id":181,"name":182,"tactic":183},"D3-RF","Restore File",{"name":100},{"id":185,"name":186,"tactic":187},"D3-RC","Restore Configuration",{"name":100},{"id":189,"name":190,"tactic":191},"D3-CF","Content Filtering",{"name":192},"Isolate",{"id":194,"name":195,"tactic":196},"D3-LFP","Local File Permissions",{"name":192},{"id":198,"name":199,"tactic":200},"D3-RFAM","Remote File Access Mediation",{"name":192},{"id":202,"name":203,"tactic":204},"D3-CQ","Content Quarantine",{"name":192},{"id":206,"name":207,"tactic":208},"D3-CM","Content Modification",{"name":192},{"id":210,"name":211,"tactic":212},"D3-KBPI","Kernel-based Process Isolation",{"name":192},{"id":214,"name":215,"tactic":216},"D3-SCF","System Call Filtering",{"name":192},{"id":218,"name":219,"tactic":220},"D3-HBPI","Hardware-based Process Isolation",{"name":192},{"id":222,"name":223,"tactic":224},"D3-ABPI","Application-based Process Isolation",{"name":192},{"id":226,"name":227,"tactic":228},"D3-WSAM","Web Session Access Mediation",{"name":192},[],[],[],[],[],[],"2026-05-29T14:29:08.134Z","PUBLISHED",{"cisa_kev":238,"cisa_ransomware":238,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":239,"severity_score":240,"severity_version":241,"severity_source":242,"severity_vector":243,"severity_status":236},false,"critical",9.1,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",[245,249],{"url":246,"sources":247,"tags":248},"https://www.wordfence.com/threat-intel/vulnerabilities/id/885dd550-4c80-4e36-8dae-cb47c1500ea5?source=cve",[242],[],{"url":250,"sources":251,"tags":252},"https://wptravel.io/wp-travel-pro/",[242],[],[],[],[256],{"source":242,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":257,"cvss_v4_0":9},{"baseScore":240,"baseSeverity":258,"vectorString":243,"impactScore":259,"exploitabilityScore":260},"CRITICAL",8.7,10,[262],{"ecosystem":9,"name":263,"vendor":264,"product":265,"cpe_part":266,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":267},"WP Travel Pro","wptravel","wp travel pro","a",[268],{"version":269,"is_range":270,"range_type":242,"version_start":9,"version_start_type":9,"version_end":271,"version_end_type":272,"fixed_in":9},"\u003C= 10.6.0",true,"10.6.0","including"]