cleantalk
Vulnerabilities and Security Researches

WP User Manager – User Profile Builder & Membership, CVE-2025-13320

CVE, Research URL

CVE-2025-13320

Home page URL

Security reports for WP User Manager – User Profile Builder & Membership

Application

WP User Manager – User Profile Builder & Membership

Published on
Dec 12, 2025
Research Description
The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs by PHP's filter_input() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server via the 'current_user_avatar' parameter in a two-stage attack which can make remote code execution possible. This only affects sites with the custom avatar setting enabled.
Affected versions
max 2.9.12.
Status
vulnerable
Previous vulnerability researches
WP User Manager – User Profile Builder & Membership (CVE-2021-24655) , Jun 07, 2024
WP User Manager – User Profile Builder & Membership (CVE-2025-13320) , Jan 10, 2026
WP User Manager – User Profile Builder & Membership (CVE-2026-9290) , Jun 07, 2026
WP User Manager – User Profile Builder & Membership (CVE-2024-10537) , Nov 25, 2024
WP User Manager – User Profile Builder & Membership (CVE-2024-10216) , Nov 25, 2024
New vulnerability
Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress (CVE-2026-6448) , Jun 07, 2026
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator (CVE-2026-8976) , Jun 07, 2026
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg (CVE-2026-7796) , Jun 07, 2026
Backup, Restore and Migrate WordPress Sites With the XCloner Plugin (CVE-2026-48965) , Jun 07, 2026
WP User Manager – User Profile Builder & Membership (CVE-2026-9290) , Jun 07, 2026