CVE-2026-9290 - Vulnerability Details

Description

The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the (profile template scope) function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

Published: 2026-06-05

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The WP User Manager – User Profile Builder & Membership plugin contains an unauthenticated path‑traversal vulnerability that allows local file inclusion. By manipulating the 'tab' query parameter the plugin can include arbitrary files on the server, causing any PHP code within those files to be executed. This flaw enables attackers to bypass access controls, exfiltrate sensitive data, or fully compromise the WordPress installation if PHP files can be uploaded or accessed within the site’s file system.

Affected Systems

Any WordPress installation running WP User Manager up to and including version 2.9.17 is affected. The vulnerability resides in the plugin’s function that processes profile template scope. Administrators of sites using these plugin versions should verify the exact version and note that any release earlier than 2.9.18 is vulnerable.

Risk and Exploitability

The vulnerability received a CVSS score of 7.5, indicating a substantial risk once exploited. No EPSS score is available, and the flaw is not currently listed in CISA’s KEV catalog. The likely attack vector is remote, involving a crafted HTTP request to the plugin’s endpoint using the 'tab' parameter. While the vulnerability is unauthenticated, its exploitation would require the attacker to be able to trigger the file inclusion, which can be accomplished by requesting any existing file path or by uploading a PHP file that the site later includes. Attackers could thus read sensitive files or execute arbitrary code on the server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wpusermanager

WP User Manager – User Profile Builder & Membership

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.9.17

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade WP User Manager to the latest release (≥ 2.9.18) to apply the vendor’s fix.
If an immediate upgrade is impossible, block the 'tab' query parameter or disable the file‑inclusion logic, and ensure that the uploads directory cannot execute PHP files by adjusting web‑server permissions or .htaccess settings.
Deploy a web‑application firewall or modify the site’s security rules to detect and prevent path‑traversal attempts and to deny remote access to the vulnerable endpoint.

Generated by OpenCVE AI on June 6, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/WPUserManager/wp-user-manager/pull/445
https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.15/includes/functions.php#L955
https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.15/includes/permalinks.php#L133
https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.15/templates/profile.php#L52
https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.15/vendor-dist/brain/cortex/src/Cortex/Router/Router.php#L183
https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.15/vendor-dist/gamajo/template-loader/class-gamajo-template-loader.php#L226
https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.17/includes/functions.php#L955
https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.17/includes/permalinks.php#L133
https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.17/templates/profile.php#L52
https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.17/vendor-dist/brain/cortex/src/Cortex/Router/Router.php#L183
https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.17/vendor-dist/gamajo/template-loader/class-gamajo-template-loader.php#L226
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3554574%40wp-user-manager&new=3554574%40wp-user-manager&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/7a5e08d8-c6ef-42a3-9599-28c3bfb35017?source=cve

History

Sat, 06 Jun 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the (profile template scope) function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Title		WP User Manager <= 2.9.17 - Unauthenticated Path Traversal to Local File Inclusion via 'tab' Query Parameter
Weaknesses		CWE-22
References		https://github.com/WPUserManager/wp-user-manager/pull/445 https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.15/includes/functions.php#L955 https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.15/includes/permalinks.php#L133 https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.15/templates/profile.php#L52 https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.15/vendor-dist/brain/cortex/src/Cortex/Router/Router.php#L183 https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.15/vendor-dist/gamajo/template-loader/class-gamajo-template-loader.php#L226 https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.17/includes/functions.php#L955 https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.17/includes/permalinks.php#L133 https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.17/templates/profile.php#L52 https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.17/vendor-dist/brain/cortex/src/Cortex/Router/Router.php#L183 https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.17/vendor-dist/gamajo/template-loader/class-gamajo-template-loader.php#L226 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3554574%40wp-user-manager&new=3554574%40wp-user-manager&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/7a5e08d8-c6ef-42a3-9599-28c3bfb35017?source=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-05T23:28:26.787Z

Updated: 2026-06-05T23:28:26.787Z

Reserved: 2026-05-22T16:52:45.960Z

Link: CVE-2026-9290

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-06T00:16:42.303

Modified: 2026-06-06T00:16:42.303

Link: CVE-2026-9290

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-06T01:30:06Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object