Description
The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. This is due to the check_permission() callback unconditionally returning true and the Database::delete() method passing the user ID directly to wp_delete_user() without any role validation. This makes it possible for unauthenticated attackers to delete arbitrary user accounts, including those of administrators.
Published: 2026-05-29
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Travel Pro plugin contains a flaw in its REST API that allows any user, even without authentication, to delete user accounts by specifying a user identifier. The endpoint /wp-json/wp-travel/v1/travel-guide/{user_id} calls a permission check that always returns true and forwards the supplied ID to WordPress’s wp_delete_user() routine without verifying the requester’s role. This enables complete removal of any account, including administrators, compromising the availability and integrity of the site’s user base.

Affected Systems

The vulnerability affects the WP Travel Pro WordPress plugin from the vendor WPTravel. All releases up to and including version 10.6.0 are impacted. Users running any of these releases on WordPress installations are susceptible unless they have already applied a patch or upgraded beyond 10.6.0.

Risk and Exploitability

With a CVSS score of 9.1 the flaw is considered critical. The exploit requires no authentication and can be triggered from any network location, giving an attacker immediate and unrestricted control over account deletion. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, but the lack of a check for proper authorization makes it highly likely that the flaw will be actively exploited.

Generated by OpenCVE AI on May 29, 2026 at 15:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Travel Pro to a version that includes the missing authorization check (any release newer than 10.6.0).
  • If an update cannot be applied immediately, block unauthenticated access to the /wp-json/wp-travel/v1/travel-guide/ endpoint using a firewall rule or a plugin that restricts REST API access to authenticated users only.
  • Disable or remove the WP Travel Pro plugin until a fixed version is available to eliminate the attack surface.

Generated by OpenCVE AI on May 29, 2026 at 15:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp Travel
Wp Travel wp Travel
Vendors & Products Wordpress
Wordpress wordpress
Wp Travel
Wp Travel wp Travel

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. This is due to the check_permission() callback unconditionally returning true and the Database::delete() method passing the user ID directly to wp_delete_user() without any role validation. This makes it possible for unauthenticated attackers to delete arbitrary user accounts, including those of administrators.
Title WP Travel Pro <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Wp Travel Wp Travel
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-29T15:03:55.782Z

Reserved: 2026-03-16T16:54:44.082Z

Link: CVE-2026-4290

cve-icon Vulnrichment

Updated: 2026-05-29T15:03:52.690Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T15:16:24.893

Modified: 2026-05-29T15:39:34.620

Link: CVE-2026-4290

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T20:45:05Z

Weaknesses