Description
The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the postInsertUserProcess function in all versions up to, and including, 3.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Published: 2025-09-11
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Deletion
Action: Apply Patch
AI Analysis

Impact

The plugin’s postInsertUserProcess function lacks proper file path validation, allowing an authenticated user with Subscriber-level access or higher to specify any file path for deletion. This flaw enables the attacker to remove arbitrary files on the server, and deleting critical files such as wp-config.php could lead to remote code execution or major service disruption. The weakness is a classic path traversal and unauthorized file deletion vulnerability (CWE‑22). Based on the description, it is inferred that the attacker must have a valid user account with Subscriber-level permissions.

Affected Systems

This issue affects the WordPress plugin User Meta – User Profile Builder and User management plugin in all releases up to and including version 3.1.2. Any WordPress installation using these versions is vulnerable if it has subscribers with permission to trigger the postInsertUserProcess routine.

Risk and Exploitability

The CVSS score of 8.0 signals a high severity, and the EPSS score of less than 1 % indicates a low probability of exploitation in the wild. The vulnerability is not presently listed in the CISA KEV catalogue. Based on the description, it is inferred that exploitation requires an authenticated attacker, so the attack vector is internal via account compromise or social engineering. Once the attacker deletes a critical file, the danger escalates to remote code execution or denial of service on the affected site.

Generated by OpenCVE AI on April 20, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to the latest version that addresses the path validation flaw.
  • Audit your WordPress user accounts and remove or limit Subscriber-level accounts that do not require access to user management functions.
  • Apply a temporary workaround by disabling the user insertion functionality or by restricting file permissions so that only trusted directories can be targeted for deletion.

Generated by OpenCVE AI on April 20, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27643 The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the postInsertUserProcess function in all versions up to, and including, 3.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
History

Fri, 12 Sep 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared User-meta
User-meta user Meta User Profile Builder And User Management
Wordpress
Wordpress wordpress
Vendors & Products User-meta
User-meta user Meta User Profile Builder And User Management
Wordpress
Wordpress wordpress

Thu, 11 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 11 Sep 2025 07:30:00 +0000

Type Values Removed Values Added
Description The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the postInsertUserProcess function in all versions up to, and including, 3.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title User Meta – User Profile Builder and User management plugin <= 3.1.2 - Authenticated (Subscriber+) Arbitrary File Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

User-meta User Meta User Profile Builder And User Management
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:25:49.764Z

Reserved: 2025-08-29T11:21:52.642Z

Link: CVE-2025-9693

cve-icon Vulnrichment

Updated: 2025-09-11T13:34:38.706Z

cve-icon NVD

Status : Deferred

Published: 2025-09-11T08:15:38.917

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9693

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:00:11Z

Weaknesses