Introduction
Attackers with even the lowest level of WordPress access can delete critical files on affected sites, potentially leading to full site compromise. The User Meta plugin, a widely used WordPress extension for user profile management, was abruptly closed for download after the discovery of a high-severity vulnerability that enables arbitrary file deletion by authenticated users.
User Meta is a plugin designed to provide advanced registration, login, and profile management features for WordPress sites. Its user base spans thousands of installations, making this vulnerability particularly impactful for a broad segment of the WordPress ecosystem.
Technical Information
CVE-2025-9693 is an arbitrary file deletion vulnerability present in the User Meta – User Profile Builder and User management plugin for WordPress, affecting all versions up to and including 3.1.2. The vulnerability is rooted in the postInsertUserProcess function, which fails to properly validate file paths supplied by users. This lack of validation allows attackers with Subscriber-level access or higher to supply directory traversal sequences (such as ../) in user input fields processed by this function.
When exploited, this flaw allows the attacker to delete any file on the server that the web server process has permission to remove. Of particular concern is the ability to delete wp-config.php, the core WordPress configuration file. Once removed, WordPress will prompt for reinstallation, enabling the attacker to gain full administrative control and execute arbitrary code via plugin or theme uploads. Other files, such as .htaccess or security plugin files, can also be targeted to disable protective measures.
The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The public plugin source code reference is:
No patch or fixed version is available as of the plugin's closure on September 10, 2025.
Affected Systems and Versions
- Product: User Meta – User Profile Builder and User management plugin for WordPress
- Affected Versions: All versions up to and including 3.1.2
- Only WordPress installations with this plugin active are vulnerable
- Exploitation requires an authenticated user with Subscriber-level access or higher
Vendor Security History
- The User Meta plugin was closed for download by WordPress.org on September 10, 2025, due to security concerns
- User feedback has highlighted technical issues and slow or absent support responses
- No patch or official advisory has been published by the vendor as of this writing
- No evidence of a rapid or mature security response process
