WordPress User Account Deletion in Other Worlds

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.3

WordPress User Account Deletion in Other Worlds

CVE-2026-5599

Summary

A user with access to manage user accounts in one world can delete accounts in other worlds. This means that a malicious user could accidentally or intentionally delete accounts outside of their intended world. To protect against this, ensure that users only have access to the worlds they are responsible for managing.

Original title

A user with API access and "manage users" permission in any venueless world is able to trigger deletion of user accounts in other worlds.

Original description

A user with API access and "manage users" permission in any venueless
world is able to trigger deletion of user accounts in other worlds.

nvd CVSS4.0 7.3

Vulnerability type

CWE-653

https://github.com/venueless/venueless/security/advisories/GHSA-gwjc-33fv-2gh4

Published: 5 Apr 2026 · Updated: 5 Apr 2026 · First seen: 5 Apr 2026