Arbitrary File Deletion Vulnerability in WP User Manager Plugin by WordPress
CVE-2026-49766

9.9CRITICAL

Key Information:

Vendor: WordPress
Status: WP User Manager
Vendor: CVE Published:; 15 June 2026

What is CVE-2026-49766?

The WP User Manager plugin for WordPress is susceptible to an arbitrary file deletion vulnerability that could allow attackers to delete critical files on the server. This security flaw affects versions 2.9.16 and earlier, potentially compromising the integrity and availability of the affected WordPress sites. Site administrators are urged to assess their installations and apply necessary updates to safeguard against unauthorized file manipulation.

Affected Version(s)

WP User Manager <= 2.9.16

References

https://patchstack.com/database/wordpress/plugin/wp-user-...

vdb-entry

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2026
Vulnerability Reserved
Jun 1, 2026

Credit

endy | Patchstack Bug Bounty Program

CVE-2026-49766 Data

JSON