WP Travel Pro <= 10.6.0 Unauthenticated Arbitrary User Deletion via REST API (CVE-2026-4290)

漏洞概述 漏洞名称: WP Travel Pro <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators CVE编号: CVE-2026-4290 CVSS评分: 9.1 (Critical) 发布日期: 2026年5月28日 最后更新日期: 2026年5月29日 研究者: Ren Voza 影响范围 软件类型: 插件 软件名称: WP Travel Pro 受影响版本: <= 10.6.0 修复方案 补丁状态: 无已知补丁可用 建议措施: 请详细审查漏洞详情，并根据组织风险容忍度采取缓解措施。最好卸载受影响的软件并寻找替代品。 漏洞描述 WP Travel Pro 插件存在未授权任意用户删除漏洞，包括管理员账户。该漏洞通过 REST API 端点在所有版本中均存在，包括 10.6.0。原因是 回调无条件返回 true，并且 方法直接将用户 ID 传递给 ，无需进行角色验证。这使得未授权攻击者可以删除任意用户账户，包括管理员账户。 参考链接 wptravel.io 分享选项 Facebook X (Twitter) LinkedIn Email 其他信息 业务时间: 9am-8pm ET, 6am-5pm PT 和 2pm-1am UTC/GMT（不包括周末和节假日） 响应时间: 客户收到24小时支持，全年365天，响应时间为1小时 版权信息 版权: © 2012-2026 Defiant Inc. 保留所有权利 免责声明 本页面内容受版权保护，具体条款见页面底部链接。 联系方式 技术支持: wfi-support@wordfence.com 其他资源 Wordfence Intelligence: 提供个人和商业API访问，包含全面的WordPress漏洞数据库 Wordfence WordPress插件: 可安装到WordPress站点，即时通知最新漏洞 文档链接 Wordfence Documentation 订阅更新 订阅方式: 通过邮箱订阅新闻和更新 页脚链接 服务条款: Terms of Service 隐私政策: Privacy Policy 数据销售声明: Do Not Sell or Share My Personal Information 社交媒体链接 X (Twitter): Wordfence on X Facebook: Wordfence on Facebook YouTube: Wordfence on YouTube Instagram: Wordfence on Instagram 产品链接 Wordfence Free: Wordfence Free Wordfence Premium: Wordfence Premium Wordfence Care: Wordfence Care Wordfence Response: Wordfence Response Wordfence CLI: Wordfence CLI Wordfence Intelligence: Wordfence Intelligence Wordfence Central: Wordfence Central 支持链接 文档: Documentation 学习中心: Learning Center 免费支持: Free Support 高级支持: Premium Support 新闻链接 博客: Blog 新闻: In The News 漏洞建议: Vulnerability Advisories 关于链接 关于Wordfence: About Wordfence 联盟计划: Affiliate Program 就业: Employment 联系: Contact 安全: Security CVE请求表单: CVE Request Form 订阅更新 订阅方式: 通过邮箱订阅新闻和更新 页脚链接 服务条款: Terms of Service 隐私政策: Privacy Policy 数据销售声明: Do Not Sell or Share My Personal Information 社交媒体链接 X (Twitter): Wordfence on X Facebook: Wordfence on Facebook YouTube: Wordfence on YouTube Instagram: Wordfence on Instagram 产品链接 Wordfence Free: Wordfence Free Wordfence Premium: Wordfence Premium Wordfence Care: Wordfence Care Wordfence Response: Wordfence Response Wordfence CLI: Wordfence CLI Wordfence Intelligence: Wordfence Intelligence Wordfence Central: Wordfence Central 支持链接 文档: Documentation 学习中心: Learning Center 免费支持: Free Support 高级支持: Premium Support 新闻链接 博客: Blog 新闻: In The News 漏洞建议: Vulnerability Advisories 关于链接 关于Wordfence: About Wordfence 联盟计划: Affiliate Program 就业: Employment 联系: Contact 安全: Security CVE请求表单: CVE Request Form 订阅更新 订阅方式: 通过邮箱订阅新闻和更新 页脚链接 服务条款: Terms of Service 隐私政策: Privacy Policy 数据销售声明: Do Not Sell or Share My Personal Information 社交媒体链接 X (Twitter): Wordfence on X Facebook: Wordfence on Facebook YouTube: Wordfence on YouTube Instagram: Wordfence on Instagram 产品链接 Wordfence Free: Wordfence Free Wordfence Premium: Wordfence Premium Wordfence Care: Wordfence Care Wordfence Response: Wordfence Response Wordfence CLI: Wordfence CLI Wordfence Intelligence: Wordfence Intelligence Wordfence Central: Wordfence Central 支持链接 文档: Documentation 学习中心: Learning Center 免费支持: Free Support 高级支持: Premium Support 新闻链接 博客: Blog 新闻: In The News 漏洞建议: Vulnerability Advisories 关于链接 关于Wordfence: About Wordfence 联盟计划: Affiliate Program 就业: Employment 联系: Contact 安全: Security CVE请求表单: CVE Request Form 订阅更新 订阅方式: 通过邮箱订阅新闻和更新 页脚链接 服务条款: Terms of Service 隐私政策: Privacy Policy 数据销售声明: Do Not Sell or Share My Personal Information 社交媒体链接 X (Twitter): Wordfence on X Facebook: Wordfence on Facebook YouTube: Wordfence on YouTube Instagram: Wordfence on Instagram 产品链接 Wordfence Free: Wordfence Free Wordfence Premium: Wordfence Premium Wordfence Care: Wordfence Care Wordfence Response: Wordfence Response Wordfence CLI: Wordfence CLI Wordfence Intelligence: Wordfence Intelligence Wordfence Central: Wordfence Central 支持链接 文档: Documentation 学习中心: Learning Center 免费支持: Free Support 高级支持: Premium Support 新闻链接 博客: Blog 新闻: In The News 漏洞建议: Vulnerability Advisories 关于链接 关于Wordfence: About Wordfence 联盟计划: Affiliate Program 就业: Employment 联系: Contact 安全: Security CVE请求表单: CVE Request Form 订阅更新 订阅方式: 通过邮箱订阅新闻和更新 页脚链接 服务条款: Terms of Service 隐私政策: Privacy Policy 数据销售声明: Do Not Sell or Share My Personal Information 社交媒体链接 X (Twitter): Wordfence on X Facebook: Wordfence on Facebook YouTube: Wordfence on YouTube Instagram: Wordfence on Instagram 产品链接 Wordfence Free: Wordfence Free Wordfence Premium: Wordfence Premium Wordfence Care: Wordfence Care Wordfence Response: Wordfence Response Wordfence CLI: Wordfence CLI Wordfence Intelligence: Wordfence Intelligence Wordfence Central: Wordfence Central 支持链接 文档: Documentation 学习中心: Learning Center 免费支持: Free Support 高级支持: Premium Support 新闻链接 博客: Blog 新闻: In The News 漏洞建议: Vulnerability Advisories 关于链接 关于Wordfence: About Wordfence 联盟计划: Affiliate Program 就业: Employment 联系: Contact 安全: Security CVE请求表单: CVE Request Form 订阅更新 订阅方式: 通过邮箱订阅新闻和更新 页脚链接 服务条款: Terms of Service 隐私政策: Privacy Policy 数据销售声明: Do Not Sell or Share My Personal Information 社交媒体链接 X (Twitter): [Wordfence

目標達成すべての支援者に感謝 — 100%達成しました！

WP Travel Pro <= 10.6.0 Unauthenticated Arbitrary User Deletion via REST API (CVE-2026-4290)

このソースからの他の記事

目標達成 すべての支援者に感謝 — 100%達成しました！

WP Travel Pro <= 10.6.0 Unauthenticated Arbitrary User Deletion via REST API (CVE-2026-4290)

このソースからの他の記事

目標達成すべての支援者に感謝 — 100%達成しました！