A critical authorization flaw in the WP Travel Pro WordPress plugin lets unauthenticated attackers delete any user account, including administrators, through an exposed REST API endpoint.
What Is It
CVE-2026-4290 is a missing authorization vulnerability (CWE-862) in the WP Travel Pro plugin for WordPress. The /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint exposes a check_permission() callback that unconditionally returns true, and the underlying Database::delete() method passes the supplied user ID directly to wp_delete_user() with no role validation. The result: any remote, unauthenticated caller can issue a delete request against an arbitrary user ID and have WordPress remove that account.
The flaw carries a CVSS 3.1 base score of 9.1 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H, network-reachable, low complexity, no privileges, no user interaction, with high impact to integrity and availability.
Why It Matters
Mass or targeted account deletion against a WordPress site is a direct integrity and availability hit. An attacker who scripts this endpoint can wipe administrators, locking legitimate operators out of their own site, or delete user content and customer accounts at scale. Because the bug requires no authentication and the endpoint is part of a popular travel-industry plugin, exposed sites are trivially discoverable and exploitable. There is no CISA KEV entry confirming active exploitation at the time of writing.
What's Vulnerable
- Product: WP Travel Pro plugin for WordPress
- Affected versions: all versions up to and including 10.6.0
- Vulnerable component: REST route
/wp-json/wp-travel/v1/travel-guide/{user_id} - Root cause: permission callback always returns
true; user ID passed unvalidated towp_delete_user() - CWE: CWE-862 (Missing Authorization)
Patch Status
The NVD entry lists vulnerability status as Deferred and does not name a fixed version in the supplied data. Administrators running WP Travel Pro should consult the vendor and Wordfence advisory below for upgrade guidance, and in the interim restrict access to the affected REST route or disable the plugin on exposed sites.