CVE-2026-4290: CWE-862 Missing Authorization in WPTravel WP Travel Pro
CVE-2026-4290 is a critical vulnerability in the WP Travel Pro WordPress plugin that allows unauthenticated attackers to delete arbitrary user accounts via a REST API endpoint. The vulnerability exists because the permission check always returns true, and user deletion is performed without validating user roles. This can lead to deletion of administrator accounts and cause denial of service or loss of administrative control. No official patch or remediation guidance is currently confirmed.
AI Analysis
Technical Summary
The WP Travel Pro plugin for WordPress up to version 10.6.0 contains a missing authorization vulnerability (CWE-862) in the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint. The check_permission() callback incorrectly returns true unconditionally, allowing unauthenticated requests to invoke the Database::delete() method, which calls wp_delete_user() directly with the provided user ID without validating the user's role. This flaw enables attackers to delete arbitrary user accounts, including administrators, leading to high impact on integrity and availability.
Potential Impact
An unauthenticated attacker can delete any user account on the affected WordPress site using the vulnerable REST API endpoint. This includes administrator accounts, potentially resulting in loss of administrative access and disruption of site operations. The CVSS score of 9.1 reflects the critical severity with network attack vector, no privileges required, no user interaction, and high impact on integrity and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the vulnerable REST API endpoint by disabling or limiting the WP Travel Pro plugin's REST API functionality or applying custom access controls to prevent unauthenticated user deletion requests.
CVE-2026-4290: CWE-862 Missing Authorization in WPTravel WP Travel Pro
Description
CVE-2026-4290 is a critical vulnerability in the WP Travel Pro WordPress plugin that allows unauthenticated attackers to delete arbitrary user accounts via a REST API endpoint. The vulnerability exists because the permission check always returns true, and user deletion is performed without validating user roles. This can lead to deletion of administrator accounts and cause denial of service or loss of administrative control. No official patch or remediation guidance is currently confirmed.
CVSS v3.1
Score 9.1critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The WP Travel Pro plugin for WordPress up to version 10.6.0 contains a missing authorization vulnerability (CWE-862) in the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint. The check_permission() callback incorrectly returns true unconditionally, allowing unauthenticated requests to invoke the Database::delete() method, which calls wp_delete_user() directly with the provided user ID without validating the user's role. This flaw enables attackers to delete arbitrary user accounts, including administrators, leading to high impact on integrity and availability.
Potential Impact
An unauthenticated attacker can delete any user account on the affected WordPress site using the vulnerable REST API endpoint. This includes administrator accounts, potentially resulting in loss of administrative access and disruption of site operations. The CVSS score of 9.1 reflects the critical severity with network attack vector, no privileges required, no user interaction, and high impact on integrity and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the vulnerable REST API endpoint by disabling or limiting the WP Travel Pro plugin's REST API functionality or applying custom access controls to prevent unauthenticated user deletion requests.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-16T16:54:44.082Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a19a74de29bf47b50f00d50
Added to database: 5/29/2026, 2:48:45 PM
Last enriched: 5/29/2026, 3:03:27 PM
Last updated: 5/29/2026, 3:53:40 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.