Skip to main content

WP User Manager CVE-2026-9290

| EUVD-2026-34928 HIGH
Path Traversal (CWE-22)
2026-06-06 security@wordfence.com GHSA-83v9-496w-54wx
WordPress Path Traversal RCE PHP Information Disclosure
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 06, 2026 - 00:28 vuln.today
Analysis Generated
Jun 06, 2026 - 00:28 vuln.today
CVE Published
Jun 06, 2026 - 00:16 nvd
HIGH 7.5

DescriptionCVE.org

The WP User Manager - User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the (profile template scope) function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

AnalysisAI

Local File Inclusion in the WP User Manager WordPress plugin (versions through 2.9.17) allows unauthenticated remote attackers to include and execute arbitrary .php files on the server via the profile tab query parameter. The flaw stems from missing validation of the tab value before it is passed to the profile template loader, enabling path traversal to any PHP file the web server can read. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running WP User Manager ≤2.9.17
Delivery
Send GET to profile URL with traversal tab parameter
Exploit
Plugin passes unvalidated tab to template loader
Execution
PHP includes attacker-chosen file
Persist
Read wp-config or execute uploaded webshell
Impact
Exfiltrate credentials or pivot to full site compromise
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target WordPress site has the WP User Manager plugin installed and activated at version 2.9.17 or earlier, and that the plugin's profile pages are reachable over the network (the default deployment, since profiles are public-facing). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N reflects an unauthenticated, low-complexity network attack with high confidentiality impact only, hence the 7.5 base score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP GET request to a public profile URL with a manipulated `tab` parameter such as `?tab=../../../../wp-config` to coerce the template loader into including an arbitrary PHP file on the server, exposing database credentials or other sensitive code. If the same WordPress instance permits user uploads that can be stored with a `.php` extension (e.g., misconfigured avatar/media handling), the attacker first uploads a webshell, then references it via the traversal-controlled include to obtain full remote code execution as the web server user. …
Remediation Upstream fix available (PR https://github.com/WPUserManager/wp-user-manager/pull/445); a released patched version greater than 2.9.17 is not independently confirmed in the provided data, so administrators should monitor the plugin's WordPress.org listing and install the next release that incorporates the tab-validation change. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations and identify those running WP User Manager plugin versions 2.9.17 and earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2026-9290 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy