CVE-2026-49766

Vulnerability

The WP User Manager plugin for WordPress versions 2.9.16 and earlier contains an arbitrary file deletion vulnerability that can be triggered by authenticated users with the Subscriber role [1]. The flaw resides in a file deletion function that fails to properly validate the file path, allowing an attacker to delete any file on the server.

Exploitation

An attacker needs only a valid subscriber account on a WordPress site running the vulnerable plugin. No additional privileges or user interaction beyond authentication are required. The vulnerability is actively being exploited in mass campaigns, indicating that exploitation is trivial [1]. The attacker can send a crafted request to delete arbitrary files, including critical WordPress core files.

Impact

Successful exploitation allows an attacker to delete arbitrary files from the server, which can render the website inoperable, cause data loss, or enable further attacks by removing security controls. The CVSS score of 9.9 reflects the critical nature of this vulnerability [1].

Mitigation

The vulnerability is fixed in version 2.9.17 of the WP User Manager plugin. Users are strongly advised to update immediately. Patchstack has also released a virtual mitigation rule to block attacks until the update is applied [1]. No other workarounds are available.