Description
Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions.
Published: 2026-06-15
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows an attacker to delete arbitrary files on the web server when using WP User Manager plugin version 2.9.16 or earlier. This can remove critical system files, configuration scripts, or user data, thereby compromising integrity and potentially leading to a denial of service. The vulnerability is classified as a CWE‑22 "Path Traversal" type error that permits file system manipulation.

Affected Systems

Any WordPress site that has installed WP User Manager plugin 2.9.16 or earlier is affected. The issue is limited to the plugin itself and does not depend on the underlying operating system. All editions of the plugin up to 2.9.16 are vulnerable.

Risk and Exploitability

With a CVSS score of 9.9 the issue is considered critical. The EPSS score of less than 1% indicates that, while exploitation is possible, it is not common in the wild, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is through the plugin’s administrative interface or a publicly accessible endpoint that triggers file deletion, requiring the attacker to craft a request that specifies the target file path. If successful, the attacker can delete any file that the web server’s user can access, leading to data loss and service disruption.

Generated by OpenCVE AI on June 18, 2026 at 00:25 UTC.

Remediation

Vendor Solution

Update the WordPress WP User Manager Plugin to the latest available version (at least 2.9.17).


OpenCVE Recommended Actions

  • Update the WP User Manager plugin to version 2.9.17 or later.
  • If an update is not immediately possible, disable or remove the plugin from the site until a patch is applied.
  • After applying the patch, restrict file system permissions so that the web server process cannot delete critical files, and monitor file modifications for suspicious activity.

Generated by OpenCVE AI on June 18, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpusermanager
Wpusermanager wp User Manager
Vendors & Products Wordpress
Wordpress wordpress
Wpusermanager
Wpusermanager wp User Manager

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions.
Title WordPress WP User Manager plugin <= 2.9.16 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Wordpress Wordpress
Wpusermanager Wp User Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T14:35:20.540Z

Reserved: 2026-06-01T15:29:09.316Z

Link: CVE-2026-49766

cve-icon Vulnrichment

Updated: 2026-06-16T14:35:15.914Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:21.703

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-49766

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:15:02Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')