What the vulnerability does
01Description
The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. This is due to the check_permission() callback unconditionally returning true and the Database::delete() method passing the user ID directly to wp_delete_user() without any role validation. This makes it possible for unauthenticated attackers to delete arbitrary user accounts, including those of administrators.
Explanation of Vulnerability in Simple Terms
02Summary
WP Travel Pro versions up to 10.6.0 lack proper authorization checks, allowing unauthenticated attackers to modify or delete site data without logging in. The vulnerability affects core functionality and requires no user interaction. Site administrators should update immediately to a version newer than 10.6.0.
What an attacker can do
03Attacker Capabilities
Modify or delete site data without authentication.
Potential impact on your site
04Site Impact
Attackers can alter bookings, travel data, or site configuration without credentials.
Conditions required to exploit
05Prerequisites
Network access only; no login or user interaction required.
Key dates
06Disclosure timeline
May 29, 2026
CVE published
May 29, 2026
Record updated