vulnerability
WordPress Plugin: wp-user-manager: CVE-2026-9290: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:C/I:N/A:N) | Jun 5, 2026 | Jun 8, 2026 | Jun 8, 2026 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:C/I:N/A:N)
Published
Jun 5, 2026
Added
Jun 8, 2026
Modified
Jun 8, 2026
Description
The WP User Manager – User Profile Builder and Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the (profile template scope) function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Solution
wp-user-manager-plugin-cve-2026-9290
References
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.