CVE-2026-9290
Description
The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the (profile template scope) function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Affected products
3(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=2.9.17
- Range: <=2.9.17
Patches
1aca35870a46fSecurity: validate profile tab against registered tabs (#445)
3 files changed · +79 −3
includes/actions.php+3 −2 modified@@ -262,10 +262,11 @@ function wpum_restrict_account_page() { */ function wpum_display_account_page_content() { - $active_tab = get_query_var( 'tab' ); $tabs = wpum_get_account_page_tabs(); + $active_tab = get_query_var( 'tab' ); - if ( empty( $active_tab ) ) { + // Validate against registered tabs to prevent path traversal / LFI. + if ( empty( $active_tab ) || ! isset( $tabs[ $active_tab ] ) ) { $active_tab = key( $tabs ); }
includes/functions.php+7 −1 modified@@ -951,9 +951,15 @@ function wpum_get_profile_tab_url( $user, $tab ) { * @return string */ function wpum_get_active_profile_tab() { - $first_tab = key( wpum_get_registered_profile_tabs() ); + $registered = wpum_get_registered_profile_tabs(); + $first_tab = key( $registered ); $profile_tab = get_query_var( 'tab', $first_tab ); + // Validate against registered tabs to prevent path traversal / LFI. + if ( ! isset( $registered[ $profile_tab ] ) ) { + $profile_tab = $first_tab; + } + return $profile_tab; }
tests/wpunit/Profile/TabValidationTest.php+69 −0 added@@ -0,0 +1,69 @@ +<?php +/** + * Tests for profile tab validation — ensures tab query var is validated + * against registered tabs to prevent path traversal / LFI. + */ + +class TabValidationTest extends \Codeception\TestCase\WPTestCase { + + public function _setUp() { + parent::_setUp(); + + if ( ! function_exists( 'wpum_get_active_profile_tab' ) ) { + require_once WPUM_PLUGIN_DIR . 'includes/functions.php'; + } + } + + public function _tearDown() { + set_query_var( 'tab', '' ); + parent::_tearDown(); + } + + public function test_valid_tab_is_returned() { + set_query_var( 'tab', 'about' ); + $this->assertEquals( 'about', wpum_get_active_profile_tab() ); + } + + public function test_valid_posts_tab_is_returned() { + // Enable posts tab. + wpum_update_option( 'profile_posts', true ); + set_query_var( 'tab', 'posts' ); + $this->assertEquals( 'posts', wpum_get_active_profile_tab() ); + } + + public function test_default_tab_when_no_query_var() { + set_query_var( 'tab', '' ); + $tab = wpum_get_active_profile_tab(); + $this->assertEquals( 'about', $tab ); + } + + public function test_traversal_tab_returns_default() { + set_query_var( 'tab', '../../wp-config' ); + $tab = wpum_get_active_profile_tab(); + $this->assertEquals( 'about', $tab ); + } + + public function test_dot_dot_slash_tab_returns_default() { + set_query_var( 'tab', '../../../etc/passwd' ); + $tab = wpum_get_active_profile_tab(); + $this->assertEquals( 'about', $tab ); + } + + public function test_unregistered_tab_returns_default() { + set_query_var( 'tab', 'nonexistent_tab_xyz' ); + $tab = wpum_get_active_profile_tab(); + $this->assertEquals( 'about', $tab ); + } + + public function test_null_byte_tab_returns_default() { + set_query_var( 'tab', "about\0../../wp-config" ); + $tab = wpum_get_active_profile_tab(); + $this->assertEquals( 'about', $tab ); + } + + public function test_backslash_tab_returns_default() { + set_query_var( 'tab', '..\\..\\wp-config' ); + $tab = wpum_get_active_profile_tab(); + $this->assertEquals( 'about', $tab ); + } +}
Vulnerability mechanics
Root cause
"The plugin fails to properly sanitize user-supplied input used in file inclusion operations."
Attack vector
An unauthenticated attacker can exploit this vulnerability by crafting a malicious request that includes a path traversal sequence. This allows the attacker to include and execute arbitrary PHP files on the server. The vulnerability is present in the (profile template scope) function, which is accessible without authentication. This can lead to arbitrary code execution or sensitive data exposure.
Affected code
The vulnerability exists within the WP User Manager – User Profile Builder & Membership plugin. The affected code is located in the file includes/functions.php, specifically around line 955, within a function related to profile template scope.
What the fix does
The patch addresses the vulnerability by adding input sanitization to prevent directory traversal. Specifically, it ensures that the file path used for inclusion is validated and does not contain malicious characters or sequences. This prevents the inclusion of unintended files and mitigates the risk of arbitrary code execution.
Preconditions
- authThe attacker does not need any authentication to exploit this vulnerability.
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- github.com/WPUserManager/wp-user-manager/pull/445nvd
- plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.15/includes/functions.phpnvd
- plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.15/includes/permalinks.phpnvd
- plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.15/templates/profile.phpnvd
- plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.15/vendor-dist/brain/cortex/src/Cortex/Router/Router.phpnvd
- plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.15/vendor-dist/gamajo/template-loader/class-gamajo-template-loader.phpnvd
- plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.17/includes/functions.phpnvd
- plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.17/includes/permalinks.phpnvd
- plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.17/templates/profile.phpnvd
- plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.17/vendor-dist/brain/cortex/src/Cortex/Router/Router.phpnvd
- plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.17/vendor-dist/gamajo/template-loader/class-gamajo-template-loader.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/7a5e08d8-c6ef-42a3-9599-28c3bfb35017nvd
News mentions
0No linked articles in our index yet.