CVE-2026-9290
Local File Inclusion in WP User Manager WordPress Plugin
Publication date: 2026-06-06
Last updated on: 2026-06-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpusermanager | wp_user_manager | to 2.9.17 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP User Manager β User Profile Builder & Membership plugin for WordPress has a Local File Inclusion (LFI) vulnerability in all versions up to and including 2.9.17. This vulnerability exists in the profile template scope function, allowing unauthenticated attackers to include and execute arbitrary .php files on the server.
By exploiting this, attackers can run any PHP code contained in those files, which can lead to bypassing access controls, obtaining sensitive data, or executing malicious code if .php files can be uploaded and included.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized code execution on the server hosting the WordPress site.
- Attackers can bypass access controls.
- Sensitive data stored on the server can be accessed.
- Malicious PHP code can be executed, potentially compromising the entire server environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the WP User Manager plugin version is up to and including 2.9.17, as these versions are vulnerable to Local File Inclusion via the profile template scope function.
One approach is to look for suspicious HTTP requests that include unexpected or malicious 'tab' query parameters attempting directory traversal or file inclusion patterns.
For example, monitoring web server logs for requests with parameters like '?tab=../../' or other traversal strings can help identify exploitation attempts.
Specific commands to detect such attempts could include using grep on web server logs, for example:
- grep -i 'tab=' /var/log/apache2/access.log | grep -E '(\.\./|%2e%2e%2f)'
- grep -i 'tab=' /var/log/nginx/access.log | grep -E '(\.\./|%2e%2e%2f)'
Additionally, scanning the installed plugin version can be done via WordPress admin or by checking the plugin files directly to confirm if the vulnerable version is in use.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the WP User Manager plugin to a version later than 2.9.17 where the vulnerability has been patched.
The patch validates the 'tab' query variable against a whitelist of registered profile and account tabs, preventing Local File Inclusion attacks.
If updating immediately is not possible, consider temporarily disabling the plugin or restricting access to the affected functionality to trusted users only.
Monitoring and blocking suspicious requests attempting directory traversal or file inclusion via web application firewalls (WAF) can also help mitigate exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to include and execute arbitrary PHP files on the server, which can lead to bypassing access controls and obtaining sensitive data.
Such unauthorized access to sensitive data and potential code execution could result in violations of data protection regulations like GDPR and HIPAA, which require strict controls to protect personal and health information.
Therefore, exploitation of this vulnerability may compromise compliance with these common standards and regulations by exposing sensitive user data and undermining system security.