CVE-2026-4290 Overview
CVE-2026-4290 is a critical missing authorization vulnerability [CWE-862] in the WP Travel Pro plugin for WordPress. The flaw affects all versions up to and including 10.6.0. Unauthenticated attackers can delete arbitrary user accounts, including administrators, by sending a request to the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint. The vulnerability stems from a check_permission() callback that unconditionally returns true, combined with a Database::delete() method that passes user IDs directly to wp_delete_user() without role validation.
Critical Impact
Unauthenticated remote attackers can delete any WordPress user account, including administrator accounts, leading to site takeover or denial of service.
Affected Products
- WP Travel Pro plugin for WordPress
- All versions up to and including 10.6.0
- WordPress sites exposing the affected REST API endpoint
Discovery Timeline
- 2026-05-29 - CVE-2026-4290 published to NVD
- 2026-05-29 - Last updated in NVD database
Technical Details for CVE-2026-4290
Vulnerability Analysis
The WP Travel Pro plugin registers a REST API route at /wp-json/wp-travel/v1/travel-guide/{user_id} that accepts a user identifier as a path parameter. The endpoint is intended to manage travel guide entries associated with WordPress users. The implementation contains two compounding defects that combine to expose every account on the site to unauthenticated deletion.
The first defect resides in the check_permission() permission callback. WordPress REST API routes rely on permission callbacks to authorize incoming requests. In WP Travel Pro, this callback unconditionally returns true, bypassing all capability checks. Any unauthenticated visitor passes the authorization gate.
The second defect resides in the Database::delete() method. This method accepts the user_id value from the request and passes it directly to the WordPress core function wp_delete_user(). No verification confirms the caller's role, ownership of the target account, or whether the target is an administrator. The combination produces a missing authorization weakness [CWE-862] with destructive integrity and availability impact.
Root Cause
The root cause is improper access control on a state-changing REST endpoint. The permission callback returns true for every caller, and the delete handler omits role validation before invoking wp_delete_user(). Either control would block the attack independently; both failing simultaneously eliminates all defense.
Attack Vector
An attacker sends an HTTP DELETE request to /wp-json/wp-travel/v1/travel-guide/{user_id} with the numeric ID of a target account. No authentication, no session, and no user interaction are required. Iterating the ID range allows wholesale deletion of every account on the site, including administrators. See the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2026-4290
Indicators of Compromise
- HTTP requests to /wp-json/wp-travel/v1/travel-guide/ followed by a numeric user ID
- WordPress users table entries missing without corresponding administrative action in audit logs
- WordPress debug or activity log entries showing wp_delete_user() invocations without an authenticated initiator
- Sudden loss of administrator login capability or missing author attribution on existing posts
Detection Strategies
- Inspect web server access logs for DELETE or POST requests targeting the wp-travel/v1/travel-guide/ route from unauthenticated sources
- Alert on REST API calls to the vulnerable endpoint that lack a valid X-WP-Nonce header or authenticated session cookie
- Correlate WordPress user deletion events with the absence of a corresponding admin session in identity logs
Monitoring Recommendations
- Forward WordPress audit logs and web server logs to a centralized SIEM for retention and correlation
- Establish a baseline for legitimate REST API traffic to WP Travel Pro endpoints and alert on deviations
- Monitor the WordPress users table row count and trigger alerts on unexpected decreases
How to Mitigate CVE-2026-4290
Immediate Actions Required
- Update WP Travel Pro to a version newer than 10.6.0 once a vendor patch is published
- Disable or uninstall the WP Travel Pro plugin on sites that cannot apply a fix immediately
- Restrict access to /wp-json/wp-travel/v1/ at the web server or WAF layer to authenticated administrators
- Audit the WordPress users table and restore any deleted accounts from backups
Patch Information
No fixed version is identified in the public advisory at the time of NVD publication. Refer to the Wordfence Vulnerability Report and the WP Travel vendor site for fix availability.
Workarounds
- Block the /wp-json/wp-travel/v1/travel-guide/ route at a WAF or reverse proxy until a patched version is installed
- Use a WordPress security plugin to deny unauthenticated REST API access to the affected namespace
- Limit REST API access to authenticated users by filtering rest_authentication_errors in a mu-plugin
# Example nginx rule to block unauthenticated access to the vulnerable endpoint
location ~ ^/wp-json/wp-travel/v1/travel-guide/ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
