The WP User Manager – User Profile Builder & Membership plugin contains an unauthenticated path‑traversal vulnerability that allows local file inclusion. By manipulating the 'tab' query parameter the plugin can include arbitrary files on the server, causing any PHP code within those files to be executed. This flaw enables attackers to bypass access controls, exfiltrate sensitive data, or fully compromise the WordPress installation if PHP files can be uploaded or accessed within the site’s file system.

Any WordPress installation running WP User Manager up to and including version 2.9.17 is affected. The vulnerability resides in the plugin’s function that processes profile template scope. Administrators of sites using these plugin versions should verify the exact version and note that any release earlier than 2.9.18 is vulnerable.

The vulnerability received a CVSS score of 7.5, indicating a substantial risk once exploited. The EPSS score is 2%, and the flaw is not currently listed in CISA’s KEV catalog. The likely attack vector is remote, involving a crafted HTTP request to the plugin’s endpoint using the 'tab' parameter. While the vulnerability is unauthenticated, its exploitation would require the attacker to be able to trigger the file inclusion, which can be accomplished by requesting any existing file path or by uploading a PHP file that the site later includes. Attackers could thus read sensitive files or execute arbitrary code on the server.