Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-4290 -- CVSS 9.1 Vulnerability Briefing

CVE-2026-4290 | CVSS 9.1 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-4290 is an unauthenticated arbitrary user deletion vulnerability in the WP Travel Pro plugin for WordPress, exposed through a REST API endpoint that fails to enforce proper authorization controls.

Technical Detail

The flaw exists in the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in WP Travel Pro versions up to and including 10.6.0, where the endpoint does not require authentication or verify that the requesting party has permission to perform deletion operations. An unauthenticated remote attacker can supply an arbitrary user ID in the URL path to trigger deletion of any WordPress user account, including administrator accounts. Successful exploitation results in account destruction, which can be used to deny legitimate administrative access, facilitate site takeover by removing existing admins, or disrupt site operations entirely.

Exploitation Status

No known exploit code has been publicly documented as of June 05, 2026, and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog. There is no confirmed in-the-wild exploitation at this time. The vulnerability is rated Critical (CVSS 9.1), and the low exploitation complexity means the barrier to weaponization is minimal once an attacker identifies a vulnerable target.

Who Is Targeting This

Confirmed (ATTAX-verified): FIN13 (origin unknown, motivation unknown), APT28 (origin: Russia, motivation: nation-state), and Equation Group (origin unknown, motivation unknown) are associated with this CVE at high confidence. Reported (research-inferred): EQUATION (medium confidence, motivation unknown), VELVETANT (medium confidence, motivation unknown), and at least one unattributed actor (medium confidence) have been flagged through research-inferred analysis. The presence of APT28 and Equation Group in confirmed attribution is notable given the nature of the vulnerability, though specific campaign context linking these actors to active exploitation of this flaw has not been publicly disclosed.

What To Do

Update WP Travel Pro to a version beyond 10.6.0 immediately. Given the Critical CVSS score and the trivial exploitation path requiring no authentication, this should be treated as a high-priority patch. If an immediate update is not possible, consider disabling the WP Travel Pro plugin until patching is feasible, or restrict REST API access at the web server or WAF layer by blocking external requests to the /wp-json/wp-travel/v1/travel-guide/ endpoint. Monitor WordPress user logs for unexpected account deletions, particularly targeting administrator-level accounts. Review existing user accounts for unauthorized changes and audit REST API access logs for anomalous DELETE or destructive request patterns against the affected endpoint.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →