How is CVE-2026-4290 exploited?

Network reachability (required): The attacker must reach the WordPress REST API over the network, typically any internet-exposed site running the plugin. Authentication (not-required): The permission callback returns true unconditionally, so no account or session is needed. Victim interaction (not-required): The deletion is triggered by a direct REST call and requires no action from any site user. Attack complexity (info): Attack complexity is low; sending a single request to the endpoint with a target user ID reliably deletes that account.

What is the impact of CVE-2026-4290?

Deletes arbitrary WordPress user accounts, including administrators, removing legitimate operators from the site. Destroys user-owned content associations and metadata tied to deleted accounts, with reassignment dependent on the wp_delete_user call path. Can render the site effectively unmanageable if all admin accounts are removed, producing a denial-of-service outcome for site operations. Does not directly disclose stored data, but the integrity and availability damage to the user base is severe and not easily reversible.

Back to search

CRITICALCVE-2026-4290Published 2026-05-29Modified 2026-05-29CNA Wordfence

CVE-2026-4290: WP Travel Pro <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators

Q: What is CVE-2026-4290?

This is a missing-authorization flaw in the WP Travel Pro WordPress plugin that allows arbitrary user deletion. The vulnerable REST API endpoint /wp-json/wp-travel/v1/travel-guide/{user_id} can be reached over the network with no authentication, because the permission callback unconditionally returns true and the delete method passes the user ID straight to wp_delete_user() with no role check. Successful exploitation lets an attacker delete any account on the site, including administrators, causing loss of integrity and availability of the user base. No fix has been published; HarborGuard tracks the advisory for patch availability.

Q: Is CVE-2026-4290 patched?

No upstream fix exists yet, so HarborGuard re-checks the Wordfence advisory each ingest cycle and will make a patched-image rebuild available the moment WPTravel publishes a fixed release. For customers who opt into auto-remediation, that rebuild will be tied to an automatic regression run and a PR opened against affected workloads as soon as the upstream patch lands.

The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. This is due to the check_permission() callback unconditionally returning true and the Database::delete() method passing the user ID directly to wp_delete_user() without any role validation. This makes it possible for unauthenticated attackers to delete arbitrary user accounts, including those of administrators.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a missing-authorization flaw in the WP Travel Pro WordPress plugin that allows arbitrary user deletion. The vulnerable REST API endpoint /wp-json/wp-travel/v1/travel-guide/{user_id} can be reached over the network with no authentication, because the permission callback unconditionally returns true and the delete method passes the user ID straight to wp_delete_user() with no role check. Successful exploitation lets an attacker delete any account on the site, including administrators, causing loss of integrity and availability of the user base. No fix has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with the Wordfence advisory ingested within minutes of publication and matched against WordPress images in customer registries and CI pipelines. Coverage includes custom-built images that bundle WP Travel Pro at or below version 10.6.0.

Available

Triage

Triage is available using the published CVSS 9.1 critical score, reweighted against each customer's compliance policy (for example, internet-exposed WordPress workloads can be escalated further). Findings are routed to the security inbox configured for each affected environment.

Available

Patch

No upstream fix exists yet, so HarborGuard re-checks the Wordfence advisory each ingest cycle and will make a patched-image rebuild available the moment WPTravel publishes a fixed release. For customers who opt into auto-remediation, that rebuild will be tied to an automatic regression run and a PR opened against affected workloads as soon as the upstream patch lands.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress REST API over the network, typically any internet-exposed site running the plugin.
AuthenticationNot required
The permission callback returns true unconditionally, so no account or session is needed.
Victim interactionNot required
The deletion is triggered by a direct REST call and requires no action from any site user.
Attack complexityDetail
Attack complexity is low; sending a single request to the endpoint with a target user ID reliably deletes that account.

Blast Radius

Deletes arbitrary WordPress user accounts, including administrators, removing legitimate operators from the site.
Destroys user-owned content associations and metadata tied to deleted accounts, with reassignment dependent on the wp_delete_user call path.
Can render the site effectively unmanageable if all admin accounts are removed, producing a denial-of-service outcome for site operations.
Does not directly disclose stored data, but the integrity and availability damage to the user base is severe and not easily reversible.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the Wordfence advisory for CVE-2026-4290 and automatic availability of a patched-image rebuild the moment WPTravel ships a fixed WP Travel Pro release. Until an upstream fix exists, compensating controls are surfaced for affected environments, including blocking or authenticating the /wp-json/wp-travel/v1/travel-guide/ route at the WAF or reverse proxy, restricting REST API access by IP where feasible, and feature-flag gating or temporarily removing the plugin on internet-exposed sites. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger automatically as soon as the patched version is published.

See how HarborGuard automates this

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

WPTravel / WP Travel Pro
≤ 10.6.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References