Local File Inclusion Vulnerability in WP User Manager Plugin for WordPress
CVE-2026-9290
7.5HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 5 June 2026
What is CVE-2026-9290?
The WP User Manager plugin for WordPress suffers from a Local File Inclusion vulnerability across all versions up to and including 2.9.17. This flaw enables unauthorized attackers to include and execute arbitrary .php files on the server by exploiting the profile template scope function. As a result, attackers can bypass access controls, access sensitive information, or execute malicious PHP code, particularly in scenarios where .php file types can be uploaded and included.
Affected Version(s)
WP User Manager β User Profile Builder & Membership 0 <= 2.9.17