Vulnerabilities and security researches forwp-user-manager wp-user-manager
Direction: ascendingJun 07, 2024
WP User Manager – User Profile Builder & Membership # CVE-2021-24655
- CVE, Research URL
- Date
- Jul 17, 2022
- Research Description
- The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.
- Affected versions
-
max 2.6.3.
- Status
-
vulnerable
Aug 20, 2024
WP User Manager – User Profile Builder & Membership # CVE-2024-43336
- CVE, Research URL
- Date
- Aug 27, 2024
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in WP User Manager.This issue affects WP User Manager: from n/a through 2.9.10.
- Affected versions
-
max 2.9.11.
- Status
-
vulnerable
Nov 25, 2024
WP User Manager – User Profile Builder & Membership # CVE-2024-10537
- CVE, Research URL
- Date
- Nov 23, 2024
- Research Description
- The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the validate_user_meta_key() function in all versions up to, and including, 2.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate user meta keys.
- Affected versions
-
max 2.9.12.
- Status
-
vulnerable
WP User Manager – User Profile Builder & Membership # CVE-2024-10216
- CVE, Research URL
- Date
- Nov 23, 2024
- Research Description
- The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'add_sidebar' and 'remove_sidebar' functions in all versions up to, and including, 2.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add or remove a Carbon Fields custom sidebar if the Carbon Fields (carbon-fields) plugin is installed.
- Affected versions
-
max 2.9.12.
- Status
-
vulnerable
Nov 11, 2025
WP User Manager – User Profile Builder & Membership # CVE-2025-60245
- CVE, Research URL
- Date
- Nov 06, 2025
- Research Description
- Deserialization of Untrusted Data vulnerability in WP User Manager WP User Manager wp-user-manager allows Object Injection.This issue affects WP User Manager: from n/a through <= 2.9.12.
- Affected versions
-
max 2.9.12.
- Status
-
vulnerable
Jan 10, 2026
WP User Manager – User Profile Builder & Membership # CVE-2025-13320
- CVE, Research URL
- Date
- Dec 12, 2025
- Research Description
- The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs by PHP's filter_input() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server via the 'current_user_avatar' parameter in a two-stage attack which can make remote code execution possible. This only affects sites with the custom avatar setting enabled.
- Affected versions
-
max 2.9.12.
- Status
-
vulnerable
Jun 07, 2026
WP User Manager – User Profile Builder & Membership # CVE-2026-9290
- CVE, Research URL
- Date
- Jun 06, 2026
- Research Description
- The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the (profile template scope) function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
- Affected versions
-
max 2.9.18.
- Status
-
vulnerable