Description
The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs by PHP's filter_input() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server via the 'current_user_avatar' parameter in a two-stage attack which can make remote code execution possible. This only affects sites with the custom avatar setting enabled.
Published: 2025-12-12
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Deletion
Action: Patch
AI Analysis

Impact

The WP User Manager plugin processes user‑supplied file paths in the avatar upload form without sufficient validation, allowing a specially crafted current_user_avatar parameter to delete any file on the webserver that the WordPress process can write to. This is a CWE‑73 vulnerability and the resulting deletion can compromise site integrity and, if combined with a file‑replacement technique, enable remote code execution by an attacker who is logged in with Subscriber‑level or higher access.

Affected Systems

WP User Manager – User Profile Builder & Membership for WordPress, all versions 2.9.12 and earlier, is affected when the custom avatar feature is enabled. Any site running a vulnerable version with that setting active is susceptible.

Risk and Exploitability

The CVSS score of 6.8 marks the issue as moderate severity, and the EPSS score of less than 1% indicates a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker must first authenticate with a Subscriber or higher role and submit a form that supplies a crafted path for current_user_avatar; the PHP filter_input() handling of array inputs allows a two‑step deletion, which can be leveraged to remove critical files or introduce malicious code, potentially leading to remote code execution. While the attack requires web‑site access, the impact is local to the site and could be amplified if the attacker gains control of the file system.

Generated by OpenCVE AI on April 21, 2026 at 17:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP User Manager to a non‑vulnerable release – for example, version 2.9.13 or later when available.
  • If an update cannot be applied immediately, disable the custom avatar feature in the plugin settings to eliminate the deletion vector.
  • Restrict avatar uploads for Subscriber‑level users or remove the ability for them to submit the current_user_avatar field.

Generated by OpenCVE AI on April 21, 2026 at 17:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Fri, 12 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpusermanager
Wpusermanager wp User Manager
Vendors & Products Wordpress
Wordpress wordpress
Wpusermanager
Wpusermanager wp User Manager

Fri, 12 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs by PHP's filter_input() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server via the 'current_user_avatar' parameter in a two-stage attack which can make remote code execution possible. This only affects sites with the custom avatar setting enabled.
Title WP User Manager <= 2.9.12 - Authenticated (Subscriber+) Arbitrary File Deletion via 'current_user_avatar' Parameter
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Wpusermanager Wp User Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:35.348Z

Reserved: 2025-11-17T15:48:32.727Z

Link: CVE-2025-13320

cve-icon Vulnrichment

Updated: 2025-12-12T14:56:55.572Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T04:15:41.147

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13320

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:30:37Z

Weaknesses