Introduction
A single unauthenticated HTTP DELETE request can permanently remove any WordPress user account, including every administrator, on sites running the WP Travel Pro plugin. CVE-2026-4290, disclosed on May 28, 2026 and carrying a CVSS score of 9.1, exposes a missing authorization flaw so fundamental that it amounts to the complete absence of access control on a destructive REST API endpoint.
WP Travel Pro is a commercial WordPress plugin designed for travel agencies and tour operators, providing booking management, payment gateway integrations, and travel guide features. The free version of WP Travel has over 4,000 active installations on WordPress.org, with the vendor claiming over 6,000 websites powered worldwide. While not the largest player in the WordPress travel plugin space, WP Travel occupies a meaningful niche particularly among trekking and tour operators in South and Southeast Asian markets.
No patch is available as of May 29, 2026.
Technical Information
Vulnerability Classification
CVE-2026-4290 is classified under CWE-862 (Missing Authorization), defined by MITRE as a weakness where "the product does not perform an authorization check when an actor attempts to access a resource or perform an action." CWE-862 is a Class level weakness that is a direct child of CWE-285 (Improper Authorization), which falls under the Pillar weakness CWE-284 (Improper Access Control). CWE-862 consistently ranks in the CWE Top 25 Most Dangerous Software Weaknesses, reflecting its prevalence across the software industry.
The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. Breaking this down:
| Component | Value | Meaning |
|---|---|---|
| Attack Vector | Network (AV:N) | Exploitable remotely over the internet |
| Attack Complexity | Low (AC:L) | No specialized conditions required |
| Privileges Required | None (PR:N) | No authentication needed |
| User Interaction | None (UI:N) | Fully automatable |
| Confidentiality Impact | None (C:N) | No direct data disclosure |
| Integrity Impact | High (I:H) | User accounts permanently destroyed |
| Availability Impact | High (A:H) | Admin lockout, denial of service |
Root Cause Analysis
The vulnerability originates from two compounding implementation failures in the WP Travel Pro plugin's REST API layer.
Flaw 1: Unconditional Permission Bypass. The plugin registers a REST API route at /wp-json/wp-travel/v1/travel-guide/{user_id} and assigns a check_permission() method as the permission callback. In WordPress's REST API architecture, the permission callback is the gatekeeper that determines whether a request should proceed. In this implementation, check_permission() unconditionally returns true for every request, regardless of the requester's authentication status or role. This effectively removes all access control from the endpoint, making it accessible to any anonymous visitor on the internet.
Flaw 2: Unvalidated User Deletion. When a DELETE request reaches the endpoint, the Database::delete() method extracts the {user_id} parameter from the URL path and passes it directly to the WordPress core function wp_delete_user() without performing any role validation or authorization check. The wp_delete_user() function is one of the most destructive operations in the WordPress API: it permanently removes a user account and either reassigns or deletes all content authored by that user.
The combination of these two flaws creates a direct, unprotected pathway from the public internet to a core WordPress administrative function.
Attack Flow
Exploitation of CVE-2026-4290 follows a straightforward sequence:
-
Target Identification. The attacker probes a WordPress site for the WP Travel Pro REST API namespace by requesting
/wp-json/wp-travel/v1/. The presence of travel guide routes confirms the plugin is active. -
User Enumeration and Deletion. WordPress user IDs are typically sequential integers starting from 1, where user ID 1 is almost always the original administrator account. The attacker sends an HTTP DELETE request to the vulnerable endpoint:
DELETE /wp-json/wp-travel/v1/travel-guide/1
Because check_permission() returns true unconditionally, the request passes through without challenge. The Database::delete() method invokes wp_delete_user(1), permanently deleting the administrator account.
-
Mass Deletion. The attacker iterates through sequential user IDs (
/travel-guide/2,/travel-guide/3, etc.), deleting every user account on the site. No authentication token, cookie, nonce, or password is required at any point. -
Site Takeover. With all administrator accounts deleted, the WordPress installation becomes inaccessible to legitimate administrators. If WordPress registration is enabled (the default on many sites), the attacker can register a new account. Depending on the site's configuration and any remaining user accounts, the attacker may be able to escalate to administrative privileges, achieving full site control.
The entire attack can be executed with a simple loop using curl or any HTTP client. The low complexity and high impact make this vulnerability particularly attractive for automated exploitation campaigns.
Comparison to Similar Vulnerabilities
This vulnerability shares structural similarities with other recent WordPress plugin authorization failures. The Burst Statistics authentication bypass (CVSS 9.8, affecting 200,000+ sites) and the Perfmatters arbitrary file deletion (also affecting 200,000+ sites) both involved permission callbacks failing to enforce authorization. However, CVE-2026-4290's impact profile is arguably more severe in one respect: it directly attacks the administrative control plane by deleting user accounts, rather than targeting files or creating accounts. Deleting all administrators is both a denial of service and a precondition for site takeover.
Affected Systems and Versions
| Attribute | Detail |
|---|---|
| Affected Plugin | WP Travel Pro (commercial version) |
| Affected Versions | All versions up to and including 10.6.0 |
| Patched Version | None available as of May 29, 2026 |
| Vulnerable Endpoint | /wp-json/wp-travel/v1/travel-guide/{user_id} |
| WordPress Requirement | 6.0.0 or higher |
| PHP Requirement | 7.4 or higher |
The free WP Travel plugin (available on WordPress.org, currently at version 11.6.0) has a separate codebase and release cycle from WP Travel Pro. The free plugin's version 11.6.0 changelog mentions "audited AJAX requests and added appropriate security validations," but this audit appears to have been limited to the free plugin and AJAX endpoints, leaving the REST API in the Pro version unaddressed.
It is important to note that WP Travel Pro installation counts are not publicly tracked on WordPress.org since it is a commercial plugin distributed through wptravel.io. The exact number of affected sites is unknown, though the vendor claims over 6,000 websites powered worldwide across both free and Pro versions.
Vendor Security History
WP Travel has a documented pattern of authorization related vulnerabilities that suggests systemic issues with access control implementation:
| CVE/Issue | Product | Type | CVSS | Date |
|---|---|---|---|---|
| CVE-2026-4290 | WP Travel Pro <= 10.6.0 | Missing Authorization (Unauthenticated User Deletion) | 9.1 | May 2026 |
| CVE-2026-24568 | WP Travel <= 11.0.0 | Missing Authorization (Authorization Bypass) | 5.3 | January 2026 |
| Broken Access Control | WP Travel 7.5.0 | Broken Access Control | Not specified | Historical |
The progression from a medium severity authorization bypass in the free plugin (CVE-2026-24568) to a critical unauthenticated admin deletion in the Pro plugin (CVE-2026-4290) within the same year is notable. While the free plugin received a security audit resulting in version 11.6.0's hardened AJAX handling, the Pro plugin's REST API authorization remained fundamentally broken through version 10.6.0.
The broader WordPress travel plugin category also shows a disproportionate concentration of security issues. The related but separate WP Travel Engine plugin (by a different vendor) has experienced CVE-2025-7634 (Local File Inclusion) and CVE-2026-2437 (CVSS 6.4), among others.
Mitigation Recommendations
Since no patch exists, organizations running WP Travel Pro should take immediate action:
Disable the plugin. Deactivate and optionally remove WP Travel Pro from all WordPress installations until a patched version is released. This is the most effective mitigation.
Block the vulnerable endpoint. If disabling the plugin is not immediately feasible, configure WAF or server level rules to block all HTTP DELETE requests matching the path pattern /wp-json/wp-travel/v1/travel-guide/*. For organizations using Wordfence, ensure firewall rules are current. For other WAF solutions, create a custom rule targeting this specific path.
Monitor for exploitation attempts. Review WordPress audit logs and web server access logs for DELETE requests to the travel-guide endpoint. Any such requests from external sources should be treated as potential exploitation attempts.
Restrict REST API access. Implement server level or plugin based restrictions requiring authentication for all WP Travel REST API endpoints as an additional layer of defense.
Evaluate alternatives. If travel booking functionality is business critical, consider migrating to an alternative plugin while WP Travel Pro remains unpatched.
The Wordfence advisory recommends reviewing the vulnerability details and employing mitigations based on organizational risk tolerance, up to and including uninstalling the affected software.
References
- Wordfence Advisory: WP Travel Pro <= 10.6.0 Missing Authorization to Unauthenticated Arbitrary User Deletion
- WP Travel Pro Product Page
- National Vulnerability Database (NVD)
- CWE-862: Missing Authorization
- CWE Top 25 Most Dangerous Software Weaknesses
- CVE-2026-24568: WP Travel Authorization Bypass (SentinelOne)
- Broken Access Control in WP Travel 7.5.0 (Patchstack)
- WP Travel Free Plugin on WordPress.org
- Proofpoint: 2026 Vulnerability Exploitation in the Wild
- CWE-284: Improper Access Control



