WP User Manager < 2.9.13 – Authenticated (Subscriber+) Arbitrary File Deletion via 'current_user_avatar' Parameter | CVE 2025-13320 | Plugin Vulnerabilities

Description

The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs by PHP's filter_input() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server via the 'current_user_avatar' parameter in a two-stage attack which can make remote code execution possible. This only affects sites with the custom avatar setting enabled.

Affects Plugins

wp-user-manager

Fixed in 2.9.13

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9d8304bf-bec2-4fcf-9fe2-46b626b3dae9

Classification

Type

FILE DELETION

OWASP top 10

A6: Security Misconfiguration

CWE

CVSS

Miscellaneous

Original Researcher

YC_Infosec

Verified

No

WPVDB ID

1b684d53-d3dd-4f3d-b9f0-fba4882cd673

Timeline

Publicly Published

2025-12-11 (about 6 months ago)

Added

2025-12-11 (about 6 months ago)

Last Updated

2026-05-30 (about 16 days ago)

Other

Published

Title

Published

2026-05-13

Title

Motors – Car Dealer, Classifieds & Listing < 1.4.108 - Authenticated (Subscriber+) Arbitrary File Deletion via 'stm_dealer_logo_path' Parameter

Published

2025-01-30

Title

Drag and Drop Multiple File Upload – Contact Form 7 < 1.3.8.6 - Limited Arbitrary File Deletion

Published

2023-10-12

Title

Remote Content Shortcode <= 1.5 - Authenticated(Contributor+) Local File Inclusion via shortcode

Published

2023-12-26

Title

Media File Renamer < 5.7.8 - Admin+ Remote Code Execution

Published

2026-06-05

Title

WPvivid Backup & Migration < 0.9.129 - Admin+ Arbitrary Directory Deletion