CVE-2026-4290

Name of the Vulnerable Software and Affected Versions WP Travel Pro versions prior to 10.6.1

Description The plugin allows unauthenticated attackers to delete arbitrary user accounts, including administrators. This occurs via the '/wp-json/wp-travel/v1/travel-guide/{user id}' REST API endpoint because the check permission() callback unconditionally returns true and the Database::delete() method passes the user id variable directly to wp delete user() without performing role validation.

Recommendations Update to a version later than 10.6.0. As a temporary workaround, restrict access to the '/wp-json/wp-travel/v1/travel-guide/{user id}' endpoint to minimize the risk of exploitation.