{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-4290/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-4290"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WP Travel Pro plugin \u003c= 10.6.0"],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","user-deletion","rce","CVE-2026-4290"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe WP Travel Pro plugin, a popular WordPress plugin designed for travel agencies and tour operators, is susceptible to a critical security vulnerability (CVE-2026-4290) that enables unauthenticated attackers to delete arbitrary user accounts. This flaw resides in the \u003ccode\u003e/wp-json/wp-travel/v1/travel-guide/{user_id}\u003c/code\u003e REST API endpoint and affects all versions of the plugin up to and including version 10.6.0. The vulnerability stems from an improperly implemented permission check and the subsequent mishandling of user IDs within the \u003ccode\u003eDatabase::delete()\u003c/code\u003e method. This allows anyone, even without authentication, to trigger the deletion of any user account within the WordPress instance, including administrative accounts. Defenders should prioritize detection and prevention measures to mitigate the risk of unauthorized user account deletion and potential data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a WordPress website using the vulnerable WP Travel Pro plugin (version \u0026lt;= 10.6.0).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting the \u003ccode\u003e/wp-json/wp-travel/v1/travel-guide/{user_id}\u003c/code\u003e REST API endpoint.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e{user_id}\u003c/code\u003e in the URL is replaced with the ID of the target user account to be deleted (e.g., the administrator account which typically has an ID of 1).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003echeck_permission()\u003c/code\u003e callback function is triggered but incorrectly returns \u003ccode\u003etrue\u003c/code\u003e regardless of the user\u0026rsquo;s authentication status or role.\u003c/li\u003e\n\u003cli\u003eThe request proceeds to the \u003ccode\u003eDatabase::delete()\u003c/code\u003e method, which receives the user ID.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDatabase::delete()\u003c/code\u003e method passes the user ID directly to the \u003ccode\u003ewp_delete_user()\u003c/code\u003e function without performing any validation to confirm the attacker\u0026rsquo;s authorization to delete the specified user.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewp_delete_user()\u003c/code\u003e function executes, permanently deleting the targeted user account from the WordPress database.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully deletes the targeted user account, potentially gaining unauthorized access or disrupting the website\u0026rsquo;s functionality.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to delete any user account on the affected WordPress site, including administrator accounts. This could lead to a complete compromise of the website, including data breaches, defacement, or the installation of malicious plugins or themes. Given the widespread use of WP Travel Pro among travel agencies, a successful attack could result in significant disruption to business operations and loss of sensitive customer data. The CVSS v3.1 base score of 9.1 highlights the critical severity of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule detecting unauthorized access to the WP Travel Pro REST API endpoint for user deletion to your SIEM and tune for your environment, focusing on unusual IPs and user agents.\u003c/li\u003e\n\u003cli\u003eExamine web server logs for suspicious POST requests to \u003ccode\u003e/wp-json/wp-travel/v1/travel-guide/\u003c/code\u003e containing user IDs (CVE-2026-4290).\u003c/li\u003e\n\u003cli\u003eConsider blocking access to the vulnerable REST API endpoint via web application firewall (WAF) rules until the WP Travel Pro plugin is updated.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T15:17:51Z","date_published":"2026-05-29T15:17:51Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-4290-wp-travel-user-deletion/","summary":"The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the REST API endpoint, allowing unauthenticated attackers to delete arbitrary user accounts due to a flawed permission check and lack of role validation.","title":"WP Travel Pro Plugin Vulnerable to Arbitrary User Deletion (CVE-2026-4290)","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-4290-wp-travel-user-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-4290","version":"https://jsonfeed.org/version/1.1"}