Introduction
An unauthenticated Local File Inclusion vulnerability in the WP User Manager WordPress plugin allows any remote attacker to traverse directories and include arbitrary PHP files on the server, with no login required. With over 30,000 websites using the plugin and the attack requiring nothing more than a crafted HTTP request, this flaw presents a meaningful risk to a broad swath of WordPress deployments.
WP User Manager is a WordPress plugin that provides customizable user profiles, registration forms, login pages, password recovery, and membership functionality. It has been available on WordPress.org since 2015 and is developed by Iain Poulson, a WordPress developer with over 12 years of experience. The plugin serves a common need in the WordPress ecosystem: extending WordPress's native user management capabilities for sites that require frontend profile editing and membership features.
Technical Information
CVE-2026-9290 is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and carries a CVSS v3.1 score of 7.5 with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The scoring reflects network exploitability, no authentication requirement, low attack complexity, no user interaction, and high confidentiality impact.
Root Cause
The core issue is in the function wpum_get_active_profile_tab() located in includes/functions.php at line 955. This function retrieves the tab query parameter directly from the URL without validating it against a known set of registered profile tabs. The unsanitized value is then passed through multiple layers of the plugin's template loading pipeline, ultimately reaching a file inclusion operation.
The Vulnerable Code Path
The attack chain traverses five source files, each of which handles the tainted tab value without sanitization:
-
includes/functions.php(line 955):wpum_get_active_profile_tab()reads thetabquery variable from the request. No validation occurs here against registered tabs. -
includes/permalinks.php(line 133): The routing and rewrite logic processes the tab value as part of URL resolution. -
templates/profile.php(line 52): The profile template consumes the unvalidated tab value to determine which template partial to load. -
vendor-dist/gamajo/template-loader/class-gamajo-template-loader.php(line 226): The Gamajo Template Loader class constructs a template path that incorporates the attacker controlled tab value. -
vendor-dist/brain/cortex/src/Cortex/Router/Router.php(line 183): The Cortex router handles URL routing and passes the tab parameter through without restriction.
Attack Flow
An attacker exploits this vulnerability through the following steps:
-
Identify a target: The attacker locates a WordPress site running WP User Manager version 2.9.17 or earlier. This can be done through automated scanning of WordPress installations, checking for the plugin's characteristic profile page endpoints.
-
Craft a malicious request: The attacker sends an HTTP request to the site's profile page with a
tabquery parameter containing path traversal sequences (e.g.,../). Becausewpum_get_active_profile_tab()accepts any user supplied value, the traversal sequences are passed directly into the template loading pipeline. -
File inclusion occurs: The Gamajo Template Loader constructs a file path using the attacker controlled tab value. The path traversal sequences cause the loader to resolve to a file outside the intended template directory, and the PHP
includeoperation executes the targeted file. -
Data exfiltration or code execution: If the included file is a configuration file like
wp-config.php, the attacker gains access to database credentials and authentication keys. If the site permits .php file uploads through any other plugin or WordPress feature, the attacker can first upload a malicious PHP file and then use the LFI to include and execute it, achieving full remote code execution.
CVSS Nuance
The CVSS base score of 7.5 rates integrity and availability impact as "None," which reflects the LFI scenario in isolation. However, the vulnerability description explicitly notes that code execution is achievable when .php files can be uploaded and included. Sites with any file upload functionality face compounded risk that exceeds what the base CVSS score communicates.
Affected Systems and Versions
The vulnerability affects the WP User Manager plugin for WordPress in all versions up to and including 2.9.17. The source code references in the CVE advisory specifically point to tags 2.9.15 and 2.9.17, confirming the vulnerable code was present across multiple releases.
| Component | Detail |
|---|---|
| Plugin | WP User Manager (User Profile Builder & Membership) |
| Affected versions | All versions through 2.9.17 |
| Fixed version | 2.9.18 |
| WordPress.org slug | wp-user-manager |
| Vulnerable parameter | tab query parameter on profile pages |
| Authentication required | None |
Any WordPress installation running WP User Manager version 2.9.17 or earlier with the plugin activated is vulnerable. The attack surface is the profile page endpoint, which is typically publicly accessible.
Vendor Security History
WP User Manager has had at least two previously disclosed vulnerabilities prior to CVE-2026-9290:
| Vulnerability | Affected Versions | Patched Version | Severity |
|---|---|---|---|
| Cross Site Request Forgery (CSRF) | <= 2.9.10 | 2.9.11 | Low |
| Arbitrary File Deletion | <= 2.9.12 | Not confirmed | Not confirmed |
| Local File Inclusion (CVE-2026-9290) | <= 2.9.17 | 2.9.18 | High (CVSS 7.5) |
The pattern across these vulnerabilities reveals a recurring theme of insufficient validation of user controlled input before it reaches sensitive operations. The CSRF issue stemmed from missing nonce validation, the file deletion from inadequate access controls, and CVE-2026-9290 from the absence of allowlist checking on the tab parameter. While the vendor has been responsive in patching reported issues, the progression from lower severity to high severity flaws suggests that a proactive security audit of all input handling paths would be more effective than the current reactive approach.
The vendor's response to CVE-2026-9290 was notably thorough. The fix PR implements whitelist validation and includes 8 WPUnit tests that explicitly verify behavior against valid tabs, directory traversal attempts, null byte sequences, and unregistered tab values.
References
- Wordfence Threat Intelligence Advisory for CVE-2026-9290
- GitHub Pull Request #445: Security fix for profile and account tab input validation
- WordPress Plugin Repository Changeset 3554574
- Vulnerable source: functions.php line 955 (tag 2.9.17)
- Vulnerable source: permalinks.php line 133 (tag 2.9.17)
- Vulnerable source: profile.php line 52 (tag 2.9.17)
- Vulnerable source: class-gamajo-template-loader.php line 226 (tag 2.9.17)
- Vulnerable source: Router.php line 183 (tag 2.9.17)
- WP User Manager on WordPress.org
- WP User Manager About Page
- GitHub Advisory GHSA-3h64-fx5v-2f3q
- Patchstack: CSRF in WP User Manager <= 2.9.10
- WPScan: WP User Manager < 2.9.11 CSRF
- CISA Known Exploited Vulnerabilities Catalog
- Wordfence: How to Find LFI Vulnerabilities in WordPress Plugins



