CVE-2026-9290: WP User Manager Local File Inclusion Vulnerability
The WP User Manager plugin for WordPress contains a flaw that allows anyone on the internet to include and run arbitrary PHP files from the server. An attacker doesn't need a login or any special access—they can craft a request that tricks the plugin into loading a PHP file and executing whatever code is inside it. If the server already has a malicious PHP file (from a previous upload or misconfiguration), this vulnerability turns it into a direct path to taking over the site or stealing data. The vulnerability affects all versions through 2.9.17.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-22
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-06 / 2026-06-17
NVD description (verbatim)
The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the (profile template scope) function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
13 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9290 is a Local File Inclusion (LFI) vulnerability in the WP User Manager plugin's profile template scope function. The flaw stems from insufficient input validation when handling file paths, mapped to CWE-22 (Path Traversal). The attack vector is network-based, requires no authentication, no user interaction, and involves low complexity—an unauthenticated attacker can craft a malicious request to the affected function parameter to include arbitrary .php files from the server's filesystem. Once included, the PHP code executes in the context of the web application. The CVSS 3.1 vector (7.5/HIGH) reflects the high confidentiality impact and network accessibility, though integrity and availability are not directly affected by the inclusion itself. Severity escalates significantly if combined with a file upload vulnerability or if writable directories contain attacker-controlled files.
Business impact
WordPress site administrators and businesses relying on WP User Manager face direct risk of unauthorized data access and site compromise. An attacker can read sensitive configuration files (wp-config.php, database credentials), steal user information from the WordPress database, or execute arbitrary PHP to establish persistence, redirect users to phishing sites, or modify site content. For membership-based sites using this plugin for access control, the vulnerability entirely bypasses those controls. The low barrier to exploitation (no authentication required) and high prevalence of WordPress in small-to-medium business ecosystems amplifies the risk profile. Remediation requires immediate plugin updates and review of file permissions and upload directories.
Affected systems
All WordPress installations using the WP User Manager – User Profile Builder & Membership plugin up to and including version 2.9.17 are vulnerable. The plugin is designed for user profile management and membership functionality, making it attractive to multi-user sites, community portals, and membership-based businesses. Any site with this plugin active and exposed to the internet is at risk, regardless of other security measures, because the vulnerability requires no prior compromise or authentication.
Exploitability
Exploitability is high. The vulnerability requires only network access and no authentication, user interaction, or complex setup. An attacker can exploit it with a single HTTP request targeting the vulnerable profile template parameter. Public disclosure and the simplicity of the attack vector mean exploitation is feasible for opportunistic and targeted attackers alike. Threat actors commonly scan for outdated WordPress plugins, and this vulnerability's high-impact nature (code execution potential) makes it an attractive target. The lack of KEV listing does not diminish real-world risk; it indicates the vulnerability has not yet been formally confirmed in active exploitation campaigns tracked by CISA at the time of advisory publication.
Remediation
Site owners must immediately update the WP User Manager plugin to a patched version beyond 2.9.17. Verify the availability of a security patch from the plugin vendor before updating. Concurrently, review and restrict write permissions on web-accessible directories to prevent .php file uploads, implement a Web Application Firewall (WAF) rule to block path traversal patterns in plugin parameters, and audit upload directories for suspicious files. Consider temporarily disabling the plugin if a patch is unavailable and no workaround is suitable for your use case.
Patch guidance
Update WP User Manager to a version released after 2.9.17 that addresses this vulnerability. Check the official plugin repository or vendor advisory for the specific patched version number and release date. Test the update in a staging environment first to ensure compatibility with your theme and other plugins. After patching, verify that the plugin's profile template function properly sanitizes and validates file path inputs. If no patch is available at the time of reading, contact the plugin vendor for an estimated timeline or consider alternative user profile plugins.
Detection guidance
Monitor web server access logs for HTTP requests to the WP User Manager plugin directory (typically /wp-content/plugins/wp-user-manager/) targeting the profile template function parameter with suspicious payloads such as path traversal sequences (../, ..\) or attempts to include common sensitive files (wp-config.php, /etc/passwd). Implement WAF rules to detect and block requests containing path traversal or file inclusion patterns. Use WordPress security plugins (e.g., Wordfence, Sucuri) to audit plugin versions and flag outdated software. Conduct file integrity monitoring on .php files in web-accessible directories to detect unauthorized modifications or new files created post-exploitation.
Why prioritize this
This vulnerability merits immediate attention due to its combination of high CVSS score (7.5), unauthenticated network exploitability, and direct code execution potential. The profile template function is likely called on every user profile page view, increasing exposure. WordPress is one of the most targeted platforms globally, and plugin vulnerabilities are a primary attack vector for mass compromise. Even without active KEV listing, the simplicity and impact make this a high-priority patch target for security teams.
Risk score, explained
The CVSS 3.1 score of 7.5 reflects the following: Network Attack Vector (highest reach), Low Attack Complexity (no special conditions required), No Privileges Required (unauthenticated), No User Interaction, and Unchanged Scope. The high confidentiality impact (reading arbitrary files) drives the severity. The score does not directly account for integrity or availability impact because the LFI itself does not inherently modify or delete files—however, if combined with file upload capabilities, the real-world impact approaches critical. Organizations should treat this as a business-critical vulnerability requiring emergency response.
Frequently asked questions
Can this vulnerability be exploited if the plugin is installed but not activated?
No. WordPress does not load code from inactive plugins, so an inactive WP User Manager plugin cannot be exploited via this pathway. However, it is good practice to delete unused plugins entirely rather than simply disabling them.
Does updating WordPress itself patch this vulnerability?
No. This is a plugin-specific vulnerability. WordPress core updates do not affect third-party plugins. You must update the WP User Manager plugin itself to a version that fixes this issue.
What if I cannot patch immediately?
As an interim measure, use a WAF or htaccess rules to block requests containing path traversal sequences (../ or ..) directed at the plugin. Disable the plugin if it is not essential to your site's operation. Restrict file write permissions on directories to prevent malicious .php uploads. However, these are temporary mitigations—patching is the only reliable fix.
Is this vulnerability being actively exploited in the wild?
It is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the advisory date. However, the low barrier to exploitation and high visibility in the WordPress ecosystem mean exploitation could begin at any time. Do not rely on the absence of public exploit code as assurance of safety.
This analysis is provided for informational purposes to assist security professionals in risk assessment and remediation planning. SEC.co does not provide legal advice or guarantee the accuracy of third-party vendor statements. Organizations should verify patch availability and compatibility with their specific WordPress configuration before deployment. Actual exploitation risk depends on site configuration, file permissions, and the presence of uploadable .php files. Consult with your vendor and conduct internal testing before implementing any changes to production systems. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25408HIGHOpen ISES Project Path Traversal Vulnerability (High Severity)
- CVE-2024-40646HIGHVertex Path Traversal Vulnerability – Remote File Access Risk
- CVE-2026-10108HIGHUnauthenticated Path Traversal in xiaomusic v0.5.7 – File Read Vulnerability
- CVE-2026-11416HIGHMoviePilot Path Traversal in Cloud Storage Download Handlers
- CVE-2026-11419HIGHAltium Enterprise Server Path Traversal – Arbitrary File Write
- CVE-2026-32847HIGHDeepCode Path Traversal Allows Unauthenticated Arbitrary File Read
- CVE-2026-35082HIGHMBS Solutions Gateway Firmware Path Traversal - File Access Vulnerability
- CVE-2026-39276HIGHEmlog Pro v2.6.9 Path Traversal Remote Code Execution