5 matches found
CVE-2026-4290
The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/userid REST API endpoint in all versions up to, and including, 10.6.0. This is due to the checkpermission callback unconditionally returning true and the Database::delete...
EUVD-2026-33327
The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/userid REST API endpoint in all versions up to, and including, 10.6.0. This is due to the checkpermission callback unconditionally returning true and the Database::delete...
CVE-2026-4290 WP Travel Pro <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators
The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/userid REST API endpoint in all versions up to, and including, 10.6.0. This is due to the checkpermission callback unconditionally returning true and the Database::delete...
CVE-2026-4290
The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the REST endpoint /wp-json/wp-travel/v1/travel-guide/{user_id} in all versions up to 10.6.0. The root cause is a check_permission() callback that unconditionally returns true and a Database::delete() call that pas...
PT-2026-44859
Name of the Vulnerable Software and Affected Versions WP Travel Pro versions prior to 10.6.1 Description The plugin allows unauthenticated attackers to delete arbitrary user accounts, including administrators. This occurs via the '/wp-json/wp-travel/v1/travel-guide/user id' REST API endpoint...