Impact
The flaw allows an attacker to delete arbitrary files on the web server when using WP User Manager plugin version 2.9.16 or earlier. This can remove critical system files, configuration scripts, or user data, thereby compromising integrity and potentially leading to a denial of service. The vulnerability is classified as a CWE‑22 "Path Traversal" type error that permits file system manipulation.
Affected Systems
Any WordPress site that has installed WP User Manager plugin 2.9.16 or earlier is affected. The issue is limited to the plugin itself and does not depend on the underlying operating system. All editions of the plugin up to 2.9.16 are vulnerable.
Risk and Exploitability
With a CVSS score of 9.9 the issue is considered critical. The EPSS score of less than 1% indicates that, while exploitation is possible, it is not common in the wild, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is through the plugin’s administrative interface or a publicly accessible endpoint that triggers file deletion, requiring the attacker to craft a request that specifies the target file path. If successful, the attacker can delete any file that the web server’s user can access, leading to data loss and service disruption.
OpenCVE Enrichment