PatchSiren

WPTravel CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL WPTravel CVE published 2026-05-29

CVE-2026-4290

A critical vulnerability in the WP Travel Pro WordPress plugin allows unauthenticated attackers to delete arbitrary user accounts, including administrators, via a REST API endpoint. The flaw stems from an authentication bypass in the permission check callback combined with missing role validation before user deletion.