WP User Manager Plugin Vulnerability

MEDIUM (6.8) No Patch (2 days)
cwe-73phppluginvulnerability-typewordpress

Threat Intelligence

Low Risk
EPSS Score: 0.26% chance of exploitation (percentile: 49%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

The WP User Manager plugin is a WordPress extension used to manage user profiles. It's a widely used plugin, especially among small and medium-sized businesses. However, this vulnerability allows attackers to delete arbitrary files on the server, potentially leading to remote code execution.

Am I affected?

You're affected if you use WP User Manager. Specific version info not stated in the advisory.

Affected Products

Automattic / WP User Manager

How to fix

  1. Update to WP User Manager version 2.9.13 or later from the official WordPress Plugin Directory (https://wordpress.org/plugins/wp-user-manager/) or GitHub repository (https://github.com/automattic/wp-user-manager).
  2. If an update isn't possible, immediately restrict network access to your WordPress installation and monitor for suspicious activity.

References