Wp User Manager
by WordPress
Source repositories
CVEs (8)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-49766 | Cri | 0.64 | 9.9 | 0.01 | Jun 15, 2026 | Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions. | ||
| CVE-2026-4003 | Cri | 0.64 | 9.8 | 0.01 | Apr 8, 2026 | The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within the… | ||
| CVE-2025-60245 | Cri | 0.64 | 9.8 | 0.00 | Nov 6, 2025 | Deserialization of Untrusted Data vulnerability in WP User Manager WP User Manager wp-user-manager allows Object Injection.This issue affects WP User Manager: from n/a through <= 2.9.12. | ||
| CVE-2026-9290 | Hig | 0.42 | 7.5 | 0.02 | Jun 6, 2026 | The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the (profile template scope) function. This makes it possible for unauthenticated attackers to include and… | ||
| CVE-2025-13320 | Med | 0.37 | 6.8 | 0.01 | Dec 12, 2025 | The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs… | ||
| CVE-2024-10537 | 0.00 | — | 0.00 | Nov 23, 2024 | The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the validate_user_meta_key() function in all versions up to, and including, 2.9.11. This makes it possible for… | |||
| CVE-2024-10216 | 0.00 | — | 0.00 | Nov 23, 2024 | The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'add_sidebar' and 'remove_sidebar' functions in all versions up to, and including, 2.9.11. This makes it… | |||
| CVE-2021-24655 | 0.00 | — | 0.01 | Jul 17, 2022 | The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to… |
- risk 0.64cvss 9.9epss 0.01
Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions.
- risk 0.64cvss 9.8epss 0.01
The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within the…
- risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in WP User Manager WP User Manager wp-user-manager allows Object Injection.This issue affects WP User Manager: from n/a through <= 2.9.12.
- risk 0.42cvss 7.5epss 0.02
The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the (profile template scope) function. This makes it possible for unauthenticated attackers to include and…
- risk 0.37cvss 6.8epss 0.01
The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs…
- CVE-2024-10537Nov 23, 2024risk 0.00cvss —epss 0.00
The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the validate_user_meta_key() function in all versions up to, and including, 2.9.11. This makes it possible for…
- CVE-2024-10216Nov 23, 2024risk 0.00cvss —epss 0.00
The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'add_sidebar' and 'remove_sidebar' functions in all versions up to, and including, 2.9.11. This makes it…
- CVE-2021-24655Jul 17, 2022risk 0.00cvss —epss 0.01
The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to…