WP Travel Pro Plugin Vulnerable to Arbitrary User Deletion (CVE-2026-4290)

The WP Travel Pro plugin, a popular WordPress plugin designed for travel agencies and tour operators, is susceptible to a critical security vulnerability (CVE-2026-4290) that enables unauthenticated attackers to delete arbitrary user accounts. This flaw resides in the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint and affects all versions of the plugin up to and including version 10.6.0. The vulnerability stems from an improperly implemented permission check and the subsequent mishandling of user IDs within the Database::delete() method. This allows anyone, even without authentication, to trigger the deletion of any user account within the WordPress instance, including administrative accounts. Defenders should prioritize detection and prevention measures to mitigate the risk of unauthorized user account deletion and potential data breaches.

Attack Chain

1. Attacker identifies a WordPress website using the vulnerable WP Travel Pro plugin (version <= 10.6.0).
2. Attacker crafts a malicious HTTP request targeting the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint.
3. The {user_id} in the URL is replaced with the ID of the target user account to be deleted (e.g., the administrator account which typically has an ID of 1).
4. The check_permission() callback function is triggered but incorrectly returns true regardless of the user’s authentication status or role.
5. The request proceeds to the Database::delete() method, which receives the user ID.
6. The Database::delete() method passes the user ID directly to the wp_delete_user() function without performing any validation to confirm the attacker’s authorization to delete the specified user.
7. The wp_delete_user() function executes, permanently deleting the targeted user account from the WordPress database.
8. The attacker successfully deletes the targeted user account, potentially gaining unauthorized access or disrupting the website’s functionality.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to delete any user account on the affected WordPress site, including administrator accounts. This could lead to a complete compromise of the website, including data breaches, defacement, or the installation of malicious plugins or themes. Given the widespread use of WP Travel Pro among travel agencies, a successful attack could result in significant disruption to business operations and loss of sensitive customer data. The CVSS v3.1 base score of 9.1 highlights the critical severity of this vulnerability.

Recommendation

• Deploy the Sigma rule detecting unauthorized access to the WP Travel Pro REST API endpoint for user deletion to your SIEM and tune for your environment, focusing on unusual IPs and user agents.
• Examine web server logs for suspicious POST requests to /wp-json/wp-travel/v1/travel-guide/ containing user IDs (CVE-2026-4290).
• Consider blocking access to the vulnerable REST API endpoint via web application firewall (WAF) rules until the WP Travel Pro plugin is updated.