Arbitrary File Deletion Vulnerability in WP User Manager Plugin by WordPress
CVE-2025-13320

6.8MEDIUM

Key Information:

Vendor: WordPress
Status: WP User Manager – User Profile Builder & Membership
Vendor: CVE Published:; 12 December 2025

What is CVE-2025-13320?

The WP User Manager plugin for WordPress has a flaw that allows authenticated users to delete arbitrary files on the server due to improper validation in the profile update process. This vulnerability arises from insufficient checks on user-supplied file paths and flawed handling of PHP array inputs, primarily affecting installations where the custom avatar feature is active. Attackers with Subscriber-level access and higher can exploit this issue, potentially paving the way for remote code execution through a multi-step attack process.

Affected Version(s)

WP User Manager – User Profile Builder & Membership * <= 2.9.12

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-user-manage...

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 12, 2025
Vulnerability Reserved
Nov 17, 2025

Credit

JEONG YU CHAN

JSON