Local File Inclusion Vulnerability in WP User Manager Plugin for WordPress
CVE-2026-9290

7.5HIGH

What is CVE-2026-9290?

The WP User Manager plugin for WordPress suffers from a Local File Inclusion vulnerability across all versions up to and including 2.9.17. This flaw enables unauthorized attackers to include and execute arbitrary .php files on the server by exploiting the profile template scope function. As a result, attackers can bypass access controls, access sensitive information, or execute malicious PHP code, particularly in scenarios where .php file types can be uploaded and included.

Affected Version(s)

WP User Manager – User Profile Builder & Membership 0 <= 2.9.17

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Yat Wu
.