How ZeroPath Works
Back to Blog

User Meta WordPress Plugin CVE-2025-9693 Arbitrary File Deletion: Brief Summary and Technical Review

This post provides a brief summary and technical review of CVE-2025-9693, a high-severity arbitrary file deletion vulnerability in the User Meta WordPress plugin up to version 3.1.2. It covers the vulnerability mechanism, affected versions, and vendor security history based on available public sources.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-11

User Meta WordPress Plugin CVE-2025-9693 Arbitrary File Deletion: Brief Summary and Technical Review
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers with even the lowest level of WordPress access can delete critical files on affected sites, potentially leading to full site compromise. The User Meta plugin, a widely used WordPress extension for user profile management, was abruptly closed for download after the discovery of a high-severity vulnerability that enables arbitrary file deletion by authenticated users.

User Meta is a plugin designed to provide advanced registration, login, and profile management features for WordPress sites. Its user base spans thousands of installations, making this vulnerability particularly impactful for a broad segment of the WordPress ecosystem.

Technical Information

CVE-2025-9693 is an arbitrary file deletion vulnerability present in the User Meta – User Profile Builder and User management plugin for WordPress, affecting all versions up to and including 3.1.2. The vulnerability is rooted in the postInsertUserProcess function, which fails to properly validate file paths supplied by users. This lack of validation allows attackers with Subscriber-level access or higher to supply directory traversal sequences (such as ../) in user input fields processed by this function.

When exploited, this flaw allows the attacker to delete any file on the server that the web server process has permission to remove. Of particular concern is the ability to delete wp-config.php, the core WordPress configuration file. Once removed, WordPress will prompt for reinstallation, enabling the attacker to gain full administrative control and execute arbitrary code via plugin or theme uploads. Other files, such as .htaccess or security plugin files, can also be targeted to disable protective measures.

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The public plugin source code reference is:

No patch or fixed version is available as of the plugin's closure on September 10, 2025.

Affected Systems and Versions

  • Product: User Meta – User Profile Builder and User management plugin for WordPress
  • Affected Versions: All versions up to and including 3.1.2
  • Only WordPress installations with this plugin active are vulnerable
  • Exploitation requires an authenticated user with Subscriber-level access or higher

Vendor Security History

  • The User Meta plugin was closed for download by WordPress.org on September 10, 2025, due to security concerns
  • User feedback has highlighted technical issues and slow or absent support responses
  • No patch or official advisory has been published by the vendor as of this writing
  • No evidence of a rapid or mature security response process

References

Detect & fix
what others miss

Get startedBook a demo