CVE-2026-4290

🗓️ 29 May 2026 14:29:08Reported by WordfenceType

cve🔗 web.nvd.nist.gov📰️ 1 Media mentions👁 16 Views🌐 WEB

WP Travel Pro up to 10.6.0 allows unauthenticated deletion of arbitrary users via a travel-guide REST endpoint.

Reporter	Title	Published	Views	Family All 10
ATTACKERKB	CVE-2026-4290	29 May 202614:29	–	attackerkb
Circl	CVE-2026-4290	29 May 202617:03	–	circl
CNNVD	WordPress plugin WP Travel Pro 安全漏洞	29 May 202600:00	–	cnnvd
Cvelist	CVE-2026-4290 WP Travel Pro <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators	29 May 202614:29	–	cvelist
EUVD	EUVD-2026-33327	29 May 202614:29	–	euvd
NVD	CVE-2026-4290	29 May 202615:16	–	nvd
Patchstack	WordPress WP Travel Pro plugin <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators vulnerability	29 May 202613:31	–	patchstack
Positive Technologies	PT-2026-44859	29 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-4290	5 Jun 202619:14	–	redhatcve
Vulnrichment	CVE-2026-4290 WP Travel Pro <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators	29 May 202614:29	–	vulnrichment

Vulners

Node

wptravel wp_travel_proRange≤10.6.0wordpress

[
  {
    "vendor": "WPTravel",
    "product": "WP Travel Pro",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "10.6.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
wptravel	www.wptravel.io/wp-travel-pro/
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/885dd550-4c80-4e36-8dae-cb47c1500ea5

Parameter	Position	Path	Description	CWE
user_id	path	/wp-json/wp-travel/v1/travel-guide/{user_id}	Unauthenticated deletion of arbitrary user accounts via travel-guide endpoint due to improper permission checks.	CWE-862

17 Jun 2026 10:56Current

5.9Medium risk

Vulners AI Score5.9

CVSS 3.19.1

EPSS0.00258

SSVC

CWE-862