CVE-2026-4290 WPTravel CVE debrief

Who should care

WordPress site administrators using WP Travel Pro plugin versions 10.6.0 and earlier; security operations teams monitoring for REST API abuse; managed WordPress hosting providers

Technical summary

The WP Travel Pro plugin's /wp-json/wp-travel/v1/travel-guide/{user_id} endpoint fails to properly validate permissions before executing user deletion operations. The check_permission() callback unconditionally returns true, bypassing authentication requirements. The Database::delete() method subsequently passes the provided user_id directly to wp_delete_user() without verifying the requester's role or authorization level. This enables unauthenticated remote attackers to enumerate and delete any WordPress user account by sending crafted DELETE requests to the endpoint with sequential or targeted user IDs.

Defensive priority

critical

Recommended defensive actions

• Immediately update WP Travel Pro to a version beyond 10.6.0 if a patched release becomes available
• Temporarily disable or restrict access to the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint via web application firewall rules
• Implement additional authentication and authorization checks at the web server or reverse proxy layer for WordPress REST API endpoints
• Review WordPress user account integrity and audit logs for any unauthorized deletions
• Monitor for anomalous DELETE requests to wp-json/wp-travel/v1/travel-guide/* paths

Evidence notes

The vulnerability was disclosed by Wordfence and published to NVD on 2026-05-29. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) confirms network exploitable, low complexity, no privileges required, with high impact to integrity and availability. CWE-862 (Missing Authorization) is the primary weakness classification. The vendor evidence is marked low confidence and requires review.

Official resources