WP Travel Pro Missing Authorization Vulnerability Allowing Unauthenticated User Deletion

Vulnerability

A vulnerability in the WP Travel Pro plugin for WordPress, present in all versions through 10.6.0, allows for arbitrary user deletion via the REST API. The issue arises because the permission check always returns true, and the user ID is passed directly to the user deletion function without validating roles. This flaw enables unauthenticated attackers to delete any user account, including those of administrators.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of user accounts, including administrators.

Added: May 29, 2026, 3:19 PM

Updated: May 29, 2026, 3:19 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

9.6

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

9.6

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WP Travel Pro Missing Authorization Vulnerability Allowing Unauthenticated User Deletion

Vulnerability

Impact

Affected Products

WP Travel Pro

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating