WP User Manager Local File Inclusion (CVE-2026-9290): Unauthenticated PHP File Execution via Profile Template Scope

nick

WP User Manager Local File Inclusion (CVE-2026-9290): Unauthenticated PHP File Execution via Profile Template Scope

by

A local file inclusion vulnerability in the WP User Manager WordPress plugin, tracked as CVE-2026-9290 (CVSS 7.5), allows unauthenticated attackers to include and execute arbitrary PHP files on the server through the profile template scope function. All versions up to and including 2.9.17 are affected.

What Is the Vulnerability?

CVE-2026-9290 is a path traversal vulnerability (CWE-22) in the profile template scope function of WP User Manager — a plugin providing user profiles, membership, and community features for WordPress sites. The vulnerability allows an unauthenticated attacker to manipulate file path parameters to include arbitrary PHP files from the server’s filesystem. This can be leveraged to execute any PHP code present on the server — including code in WordPress core files, theme files, or plugin files — or to include attacker-uploaded PHP files to achieve remote code execution.

  • CVSS v3.1 Score: 7.5 (High)
  • CWE: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory)
  • Attack Vector: Network — no authentication required

Which Versions Are Affected?

  • WP User Manager – User Profile Builder & Membership: all versions up to and including 2.9.17

Is It Being Exploited in the Wild?

No active exploitation has been publicly confirmed. However, unauthenticated local file inclusion is a direct path to remote code execution — automated scanning tools target LFI vulnerabilities aggressively.

What Is the Fix?

Update WP User Manager to a version beyond 2.9.17. If you cannot update immediately, consider temporarily disabling the profile template functionality or the plugin.

Recommendations

Update WP User Manager immediately. Unauthenticated file inclusion enabling PHP execution is a high-severity finding that should be patched today.

Audit for unexpected files. Check the WordPress uploads directory and plugin directories for unexpected PHP files that may have been uploaded as part of an exploitation chain.

References

This advisory was first covered in the broader Vulnerability Intelligence Report — June 7, 2026.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!