Lucene search
K

5 matches found

NVD
NVD
added 2026/05/29 3:16 p.m.14 views

CVE-2026-4290

The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/userid REST API endpoint in all versions up to, and including, 10.6.0. This is due to the checkpermission callback unconditionally returning true and the Database::delete...

9.1CVSS0.00258EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/29 2:29 p.m.11 views

EUVD-2026-33327

The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/userid REST API endpoint in all versions up to, and including, 10.6.0. This is due to the checkpermission callback unconditionally returning true and the Database::delete...

9.1CVSS5.9AI score0.00258EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/29 2:29 p.m.49 views

CVE-2026-4290 WP Travel Pro <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators

The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/userid REST API endpoint in all versions up to, and including, 10.6.0. This is due to the checkpermission callback unconditionally returning true and the Database::delete...

9.1CVSS0.00258EPSS
Exploits0References2
CVE
CVE
added 2026/05/29 2:29 p.m.23 views

CVE-2026-4290

The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the REST endpoint /wp-json/wp-travel/v1/travel-guide/{user_id} in all versions up to 10.6.0. The root cause is a check_permission() callback that unconditionally returns true and a Database::delete() call that pas...

9.1CVSS5.9AI score0.00258EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.15 views

PT-2026-44859

Name of the Vulnerable Software and Affected Versions WP Travel Pro versions prior to 10.6.1 Description The plugin allows unauthenticated attackers to delete arbitrary user accounts, including administrators. This occurs via the '/wp-json/wp-travel/v1/travel-guide/user id' REST API endpoint...

9.1CVSS5.9AI score0.00258EPSS
Exploits0References5
Rows per page
Query Builder