CVE-2025-13320
Arbitrary File Deletion in WP User Manager Enables RCE
Publication date: 2025-12-12
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_user_manager | wp_user_manager | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for suspicious activity related to the 'current_user_avatar' parameter in profile update requests, especially from authenticated users with Subscriber-level access or higher. Since the vulnerability allows arbitrary file deletion via crafted inputs, you can look for unusual POST requests to the profile update endpoint containing the 'current_user_avatar' parameter. Additionally, monitoring server logs for unexpected file deletions or modifications in avatar file directories can help detect exploitation attempts. Specific commands might include using web server access logs to grep for 'current_user_avatar' in POST data, for example: `grep 'current_user_avatar' /var/log/apache2/access.log` or `grep 'current_user_avatar' /var/log/nginx/access.log`. Also, monitoring file system changes in avatar upload directories using tools like `inotifywait` or `auditd` can help detect unauthorized deletions. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the WP User Manager plugin to a version later than 2.9.12 where the vulnerability is fixed. If an update is not immediately possible, disable the custom avatar setting in the plugin, as the vulnerability only affects sites with this feature enabled. Additionally, restrict Subscriber-level users from accessing profile update functionalities that handle avatar uploads or implement additional input validation and sanitization on the 'current_user_avatar' parameter to prevent arbitrary file deletion. Monitoring and restricting file permissions on avatar directories to prevent unauthorized deletions can also help mitigate risk. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability exists in the WP User Manager plugin for WordPress up to version 2.9.12. It allows authenticated users with Subscriber-level access or higher to delete arbitrary files on the server. This happens because the plugin does not properly validate user-supplied file paths in the profile update feature and mishandles array inputs due to PHP's filter_input() function. The attack involves manipulating the 'current_user_avatar' parameter in a two-stage process and only affects sites with the custom avatar setting enabled.
How can this vulnerability impact me? :
An attacker with Subscriber-level access can delete arbitrary files on the server, which can lead to denial of service or potentially enable remote code execution. This compromises the integrity and availability of the affected website and server, possibly allowing further exploitation or damage.