Skip to main content

WP User Manager CVE-2026-49766

| EUVDEUVD-2026-36890 CRITICAL
Path Traversal (CWE-22)
2026-06-15 Patchstack GHSA-hv55-m54h-w5pj
9.9
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable subscriber endpoint (AV:N, PR:L), no UI, arbitrary file deletion crosses scope (S:C) yielding high integrity/availability; limited confidentiality via error disclosure justifies C:L.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:30 vuln.today

DescriptionCVE.org

Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions.

AnalysisAI

Arbitrary file deletion in the WordPress WP User Manager plugin versions 2.9.16 and earlier allows authenticated subscriber-level users to delete arbitrary files on the underlying server via a path traversal flaw. Successful exploitation can corrupt the WordPress installation and, when wp-config.php is targeted, force the site into setup mode enabling a takeover chain. No public exploit identified at time of analysis, but the CVSS 9.9 rating and low privilege requirement make this a priority patch for affected sites.

Technical ContextAI

WP User Manager is a WordPress plugin (CPE cpe:2.3:a:wp_user_manager:wp_user_manager) that provides front-end user registration, login, and profile management features, exposing AJAX and form-handling endpoints to authenticated subscribers. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), meaning a user-controllable input is passed into a filesystem deletion call without proper canonicalization or allow-list validation, letting attackers escape the intended directory using sequences such as '../' and reference files outside the plugin's working area.

RemediationAI

Upstream fix available per the Patchstack advisory; a released patched version was not independently confirmed from the provided input, so administrators should consult https://patchstack.com/database/wordpress/plugin/wp-user-manager/vulnerability/wordpress-wp-user-manager-plugin-2-9-16-arbitrary-file-deletion-vulnerability and the plugin's WordPress.org page to install any version newer than 2.9.16. Until an upgrade is applied, compensating controls include disabling new user registration in WordPress settings (trade-off: blocks legitimate self-service signup), deactivating the WP User Manager plugin entirely (trade-off: removes front-end membership functionality), restricting access to wp-admin and the plugin's AJAX endpoints (admin-ajax.php actions tied to wp_user_manager) via a WAF rule or IP allow-list, and enforcing strict filesystem permissions so the webserver user cannot delete wp-config.php, .htaccess, or core WordPress files (trade-off: may break legitimate plugin update/delete operations).

Share

CVE-2026-49766 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy