CVE-2026-9290 in WP User Manager Plugin
Summary
by MITRE • 06/06/2026
The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the (profile template scope) function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/06/2026
The WP User Manager plugin for WordPress presents a critical local file inclusion vulnerability that affects all versions up to and including 2917. This vulnerability resides within the profile template scope function, creating a pathway for unauthenticated attackers to manipulate file inclusion parameters and execute arbitrary php code on affected servers. The flaw represents a significant security risk as it allows remote attackers to bypass authentication mechanisms and access restricted system resources without proper authorization. The vulnerability stems from inadequate input validation and sanitization within the plugin's template handling logic, specifically when processing user profile template parameters.
The technical implementation of this vulnerability enables attackers to manipulate the file inclusion mechanism by injecting malicious file paths into the profile template scope function. When the plugin processes these parameters without proper validation, it directly includes user-supplied file paths, allowing attackers to reference local files on the server. This creates a scenario where php files can be executed with the privileges of the web server process, potentially enabling full system compromise. The vulnerability aligns with CWE-22 - Improper Limitation of a Pathname to a Restricted Directory and CWE-94 - Improper Control of Generation of Code, both of which are classified as high-risk issues in the Common Weakness Enumeration catalog. The attack vector operates through standard http requests that can be crafted to exploit the vulnerable function and achieve unauthorized code execution.
The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with the capability to bypass access controls and obtain sensitive data from the affected WordPress installation. An attacker can leverage this vulnerability to read system files, access database credentials, or extract user information from the WordPress database. In scenarios where php files can be uploaded to the server, the vulnerability becomes even more dangerous as attackers can upload malicious php payloads and execute them directly through the file inclusion mechanism. This capability allows for persistent access to the compromised system and can lead to complete system compromise. The vulnerability affects any WordPress installation using the affected plugin version, making it a widespread concern for website administrators who have not updated to patched versions.
Mitigation strategies for this vulnerability should focus on immediate plugin updates to the latest secure versions that address the file inclusion flaw. System administrators should also implement input validation measures and restrict file inclusion paths to prevent unauthorized access to system resources. Network-level protections including web application firewalls can help detect and block malicious requests attempting to exploit this vulnerability. The ATT&CK framework categorizes this vulnerability under T1059 - Command and Scripting Interpreter and T1566 - Phishing, as attackers can leverage it to execute commands and gain unauthorized access to systems. Additionally, implementing proper access controls and restricting file upload capabilities on the web server can reduce the attack surface. Regular security audits and vulnerability assessments should be conducted to identify similar issues in other plugins and themes, while maintaining updated security patches across all WordPress components to prevent exploitation of similar vulnerabilities in the future.