Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable subscriber endpoint (AV:N, PR:L), no UI, arbitrary file deletion crosses scope (S:C) yielding high integrity/availability; limited confidentiality via error disclosure justifies C:L.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions.
AnalysisAI
Arbitrary file deletion in the WordPress WP User Manager plugin versions 2.9.16 and earlier allows authenticated subscriber-level users to delete arbitrary files on the underlying server via a path traversal flaw. Successful exploitation can corrupt the WordPress installation and, when wp-config.php is targeted, force the site into setup mode enabling a takeover chain. No public exploit identified at time of analysis, but the CVSS 9.9 rating and low privilege requirement make this a priority patch for affected sites.
Technical ContextAI
WP User Manager is a WordPress plugin (CPE cpe:2.3:a:wp_user_manager:wp_user_manager) that provides front-end user registration, login, and profile management features, exposing AJAX and form-handling endpoints to authenticated subscribers. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), meaning a user-controllable input is passed into a filesystem deletion call without proper canonicalization or allow-list validation, letting attackers escape the intended directory using sequences such as '../' and reference files outside the plugin's working area.
RemediationAI
Upstream fix available per the Patchstack advisory; a released patched version was not independently confirmed from the provided input, so administrators should consult https://patchstack.com/database/wordpress/plugin/wp-user-manager/vulnerability/wordpress-wp-user-manager-plugin-2-9-16-arbitrary-file-deletion-vulnerability and the plugin's WordPress.org page to install any version newer than 2.9.16. Until an upgrade is applied, compensating controls include disabling new user registration in WordPress settings (trade-off: blocks legitimate self-service signup), deactivating the WP User Manager plugin entirely (trade-off: removes front-end membership functionality), restricting access to wp-admin and the plugin's AJAX endpoints (admin-ajax.php actions tied to wp_user_manager) via a WAF rule or IP allow-list, and enforcing strict filesystem permissions so the webserver user cannot delete wp-config.php, .htaccess, or core WordPress files (trade-off: may break legitimate plugin update/delete operations).
More in Wp User Manager
View allThe WP User Manager - User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized access of dat
The WP User Manager - User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized modification
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36890
GHSA-hv55-m54h-w5pj