What is CVE-2026-9290?

CVE-2026-9290 is a high-severity vulnerability in the WP User Manager plugin for WordPress, affecting versions up to and including 2.9.17. It allows unauthenticated attackers to exploit a Local File Inclusion (LFI) flaw via the ‘tab’ query parameter, potentially leading to arbitrary PHP file execution.

How does the vulnerability work?

The vulnerability arises from the plugin’s failure to validate the ‘tab’ query parameter against a list of registered tabs. An attacker can craft a request that includes path traversal sequences, allowing them to include sensitive files or execute arbitrary PHP code on the server.

Who is affected by this vulnerability?

Any WordPress installation using the WP User Manager plugin version 2.9.17 or earlier is at risk. Administrators should check their plugin version in the WordPress dashboard to determine if they are affected.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin panel. Look for the WP User Manager plugin and verify its version. If it is 2.9.17 or lower, your site is vulnerable.

What should I do to fix this vulnerability?

To mitigate this vulnerability, you should update the WP User Manager plugin to version 2.9.18 or later, where the issue has been patched. Regularly updating all plugins and themes is a best practice for maintaining site security.

What is the risk level of CVE-2026-9290?

CVE-2026-9290 has a CVSS score of 7.5, indicating a high severity level. This means that successful exploitation could lead to significant risks, including unauthorized access to sensitive data and the potential for complete site compromise.

What does the proof of concept (PoC) demonstrate?

The proof of concept demonstrates how an attacker can exploit the vulnerability by crafting a request that includes a malicious ‘tab’ parameter. For example, a request like ‘/account/?tab=../../../../wp-config.php’ attempts to include the WordPress configuration file, showcasing the risk of arbitrary file inclusion.

Can this vulnerability be exploited without authentication?

Yes, this vulnerability can be exploited by unauthenticated attackers, meaning that no user login is required to execute the attack. This increases the risk significantly, as it can be targeted by anyone on the internet.

What are the potential consequences of exploitation?

If successfully exploited, an attacker could read sensitive files such as the wp-config.php file, which contains database credentials. They could also upload malicious PHP files and execute them, leading to full control over the affected WordPress site.

How does the patch address the vulnerability?

The patch for CVE-2026-9290 includes validation of the ‘tab’ parameter against a list of registered tabs. This prevents the inclusion of arbitrary files by ensuring that only valid tab values are processed, effectively mitigating the path traversal issue.

What additional security measures should I consider?

In addition to updating the plugin, consider implementing security measures such as using a web application firewall, regularly monitoring your site for suspicious activity, and conducting security audits. Keeping all software up to date is crucial for maintaining security.

Where can I find more information about CVE-2026-9290?

For more detailed information about CVE-2026-9290, you can refer to the official CVE database or security advisories related to the WP User Manager plugin. Security blogs and forums may also provide insights and discussions regarding this vulnerability.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 13, 2026

CVE-2026-9290: WP User Manager <= 2.9.17 Unauthenticated Path Traversal to Local File Inclusion via 'tab' Query Parameter PoC, Patch Analysis & Rule

CVE ID CVE-2026-9290

Plugin wp-user-manager

Severity High (CVSS 7.5)

CWE 22

Vulnerable Version 2.9.17

Patched Version 2.9.18

Disclosed June 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-9290:
This vulnerability allows unauthenticated Local File Inclusion (LFI) in the WP User Manager plugin for WordPress, versions 2.9.17 and earlier. The issue resides in the profile tab functionality, specifically in how the plugin handles the ‘tab’ query parameter on account and profile pages. Atomic Edge research confirms this is a path traversal flaw that can lead to arbitrary PHP file inclusion.

Root Cause:
The vulnerability exists in two key functions within the plugin. In wp-user-manager/includes/actions.php, the wpum_display_account_page_content() function retrieves the ‘tab’ query variable using get_query_var(‘tab’) without validating it against the list of registered tabs. The check ‘if ( empty( $active_tab ) )’ only checks for emptiness, not validity. An arbitrary string containing path traversal sequences like ‘../../../../’ passes this check. In wp-user-manager/includes/functions.php, the wpum_get_active_profile_tab() function also retrieves the ‘tab’ query variable without validation against the registered tabs array. The value is then used to load template files, enabling inclusion of arbitrary PHP files from the server’s filesystem.

Exploitation:
An unauthenticated attacker can exploit this by crafting a request to any page using WP User Manager’s profile or account templates. The attack vector uses the ‘tab’ query parameter with path traversal sequences. For example, a request like ‘/account/?tab=../../../../wp-config.php’ would attempt to include and execute the WordPress configuration file. Since the plugin includes PHP files based on the tab parameter, an attacker can specify any .php file on the server. If the attacker can upload a malicious .php file (e.g., via the WordPress media library or another plugin), they can include that file and achieve remote code execution.

Patch Analysis:
The patch modifies both vulnerable functions to validate the ‘tab’ parameter against the registered tabs array before use. In actions.php, the condition changes from ‘if ( empty( $active_tab ) )’ to ‘if ( empty( $active_tab ) || ! isset( $tabs[ $active_tab ] ) )’, ensuring only valid tab keys are accepted. In functions.php, the patched code checks ‘if ( ! isset( $registered[ $profile_tab ] ) )’ and falls back to the first registered tab if the value is invalid. This prevents path traversal by rejecting any tab value that does not exactly match a registered tab key.

Impact:
Successful exploitation allows an unauthenticated attacker to include and execute arbitrary PHP files on the server. This can lead to complete site compromise: an attacker can read sensitive files (like wp-config.php containing database credentials), bypass access controls, and achieve remote code execution if PHP files can be uploaded. Given the CVSS score of 7.5, this vulnerability poses a critical risk to affected WordPress installations.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/wp-user-manager/includes/actions.php
+++ b/wp-user-manager/includes/actions.php
@@ -262,10 +262,11 @@
  */
 function wpum_display_account_page_content() {

-	$active_tab = get_query_var( 'tab' );
 	$tabs       = wpum_get_account_page_tabs();
+	$active_tab = get_query_var( 'tab' );

-	if ( empty( $active_tab ) ) {
+	// Validate against registered tabs to prevent path traversal / LFI.
+	if ( empty( $active_tab ) || ! isset( $tabs[ $active_tab ] ) ) {
 		$active_tab = key( $tabs );
 	}

@@ -516,7 +517,7 @@
 	$user_id     = filter_input( INPUT_GET, 'user_id', FILTER_VALIDATE_INT );
 	$profileuser = isset( $user_id ) ? get_user_by( 'id', $user_id ) : false;

-	if ( ! $profileuser && 'user-new.php' !== $pagenow ) {
+	if ( ! $profileuser && ! in_array( $pagenow, array( 'user-new.php', 'user-edit.php' ), true ) ) {
 		return;
 	}

--- a/wp-user-manager/includes/admin/class-wpum-avatars.php
+++ b/wp-user-manager/includes/admin/class-wpum-avatars.php
@@ -36,7 +36,9 @@

 		if ( wpum_get_option( 'custom_avatars' ) ) {
 			add_action( 'carbon_fields_register_fields', array( $this, 'avatar_field' ) );
-			add_filter( 'get_avatar_url', array( $this, 'set_avatar_url' ), 10, 3 );
+
+			// Set user uploaded avatar a higher priority than the default avatar.
+			add_filter( 'get_avatar_url', array( $this, 'set_avatar_url' ), 11, 3 );
 		}

 		if ( ! wpum_get_option( 'disable_profile_cover' ) ) {
--- a/wp-user-manager/includes/emails/class-wpum-emails-customizer-scripts.php
+++ b/wp-user-manager/includes/emails/class-wpum-emails-customizer-scripts.php
@@ -92,6 +92,11 @@
 			'sections'          => $sections,
 		);
 		wp_localize_script( 'wpum-email-customize-controls', 'wpumCustomizeControls', $js_variables );
+
+		// This is a workaround to ensure that the tinymce editor is initialized in a block theme.
+		if ( function_exists( 'wp_is_block_theme' ) && wp_is_block_theme() ) {
+			do_action( 'admin_print_footer_scripts' );
+		}
 	}
 }

--- a/wp-user-manager/includes/functions.php
+++ b/wp-user-manager/includes/functions.php
@@ -951,9 +951,15 @@
  * @return string
  */
 function wpum_get_active_profile_tab() {
-	$first_tab   = key( wpum_get_registered_profile_tabs() );
+	$registered  = wpum_get_registered_profile_tabs();
+	$first_tab   = key( $registered );
 	$profile_tab = get_query_var( 'tab', $first_tab );

+	// Validate against registered tabs to prevent path traversal / LFI.
+	if ( ! isset( $registered[ $profile_tab ] ) ) {
+		$profile_tab = $first_tab;
+	}
+
 	return $profile_tab;
 }

--- a/wp-user-manager/vendor-dist/composer/installed.php
+++ b/wp-user-manager/vendor-dist/composer/installed.php
@@ -2,4 +2,4 @@

 namespace WPUM;

-return array('root' => array('name' => 'wp-user-manager/wp-user-manager', 'pretty_version' => 'v2.9.17', 'version' => '2.9.17.0', 'reference' => 'b10a593d26911a6b552c45451662e436ce778bd0', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev' => false), 'versions' => array('brain/cortex' => array('pretty_version' => 'dev-refactoring-fastroute', 'version' => 'dev-refactoring-fastroute', 'reference' => '86bec053ec2c4d2e4c75af64e0cee951d9b0054b', 'type' => 'library', 'install_path' => __DIR__ . '/../brain/cortex', 'aliases' => array(0 => '9999999-dev'), 'dev_requirement' => false), 'composer/installers' => array('pretty_version' => '1.x-dev', 'version' => '1.9999999.9999999.9999999-dev', 'reference' => 'd20a64ed3c94748397ff5973488761b22f6d3f19', 'type' => 'composer-plugin', 'install_path' => __DIR__ . '/./installers', 'aliases' => array(), 'dev_requirement' => false), 'dompdf/dompdf' => array('pretty_version' => 'v2.0.2', 'version' => '2.0.2.0', 'reference' => 'ad4c631bf8897fc1ca7b566468a969cfd71a558a', 'type' => 'library', 'install_path' => __DIR__ . '/../dompdf/dompdf', 'aliases' => array(), 'dev_requirement' => false), 'gamajo/template-loader' => array('pretty_version' => '1.3.1', 'version' => '1.3.1.0', 'reference' => 'fa92a37b780d945463f7fea328dce14933558752', 'type' => 'library', 'install_path' => __DIR__ . '/../gamajo/template-loader', 'aliases' => array(), 'dev_requirement' => false), 'htmlburger/carbon-fields' => array('pretty_version' => 'v3.6.9', 'version' => '3.6.9.0', 'reference' => 'f82e80e3e3469d6e86cc17a8950b918ad448a059', 'type' => 'library', 'install_path' => __DIR__ . '/../htmlburger/carbon-fields', 'aliases' => array(), 'dev_requirement' => false), 'masterminds/html5' => array('pretty_version' => '2.7.6', 'version' => '2.7.6.0', 'reference' => '897eb517a343a2281f11bc5556d6548db7d93947', 'type' => 'library', 'install_path' => __DIR__ . '/../masterminds/html5', 'aliases' => array(), 'dev_requirement' => false), 'nesbot/carbon' => array('pretty_version' => '2.66.0', 'version' => '2.66.0.0', 'reference' => '496712849902241f04902033b0441b269effe001', 'type' => 'library', 'install_path' => __DIR__ . '/../nesbot/carbon', 'aliases' => array(), 'dev_requirement' => false), 'nikic/fast-route' => array('pretty_version' => 'v0.7.0', 'version' => '0.7.0.0', 'reference' => '8164b4a0d8afde4eae5f1bfc39084972ba23ad36', 'type' => 'library', 'install_path' => __DIR__ . '/../nikic/fast-route', 'aliases' => array(), 'dev_requirement' => false), 'phenx/php-font-lib' => array('pretty_version' => '0.5.4', 'version' => '0.5.4.0', 'reference' => 'dd448ad1ce34c63d09baccd05415e361300c35b4', 'type' => 'library', 'install_path' => __DIR__ . '/../phenx/php-font-lib', 'aliases' => array(), 'dev_requirement' => false), 'phenx/php-svg-lib' => array('pretty_version' => '0.5.0', 'version' => '0.5.0.0', 'reference' => '76876c6cf3080bcb6f249d7d59705108166a6685', 'type' => 'library', 'install_path' => __DIR__ . '/../phenx/php-svg-lib', 'aliases' => array(), 'dev_requirement' => false), 'psr/http-message' => array('pretty_version' => '1.0.1', 'version' => '1.0.1.0', 'reference' => 'f6561bf28d520154e4b0ec72be95418abe6d9363', 'type' => 'library', 'install_path' => __DIR__ . '/../psr/http-message', 'aliases' => array(), 'dev_requirement' => false), 'roundcube/plugin-installer' => array('dev_requirement' => false, 'replaced' => array(0 => '*')), 'sabberworm/php-css-parser' => array('pretty_version' => '8.4.0', 'version' => '8.4.0.0', 'reference' => 'e41d2140031d533348b2192a83f02d8dd8a71d30', 'type' => 'library', 'install_path' => __DIR__ . '/../sabberworm/php-css-parser', 'aliases' => array(), 'dev_requirement' => false), 'shama/baton' => array('dev_requirement' => false, 'replaced' => array(0 => '*')), 'stripe/stripe-php' => array('pretty_version' => 'v10.5.0', 'version' => '10.5.0.0', 'reference' => '331415b232d60d7c0449de7bde4cb7d4fedf982e', 'type' => 'library', 'install_path' => __DIR__ . '/../stripe/stripe-php', 'aliases' => array(), 'dev_requirement' => false), 'symfony/deprecation-contracts' => array('pretty_version' => 'v2.5.2', 'version' => '2.5.2.0', 'reference' => 'e8b495ea28c1d97b5e0c121748d6f9b53d075c66', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/deprecation-contracts', 'aliases' => array(), 'dev_requirement' => false), 'symfony/polyfill-mbstring' => array('pretty_version' => 'v1.26.0', 'version' => '1.26.0.0', 'reference' => '9344f9cb97f3b19424af1a21a3b0e75b0a7d8d7e', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/polyfill-mbstring', 'aliases' => array(), 'dev_requirement' => false), 'symfony/polyfill-php80' => array('pretty_version' => 'v1.26.0', 'version' => '1.26.0.0', 'reference' => 'cfa0ae98841b9e461207c13ab093d76b0fa7bace', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/polyfill-php80', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation' => array('pretty_version' => 'v5.4.11', 'version' => '5.4.11.0', 'reference' => '7a1a8f6bbff269f434a83343a0a5d36a4f8cfa21', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/translation', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation-contracts' => array('pretty_version' => 'v2.5.2', 'version' => '2.5.2.0', 'reference' => '136b19dd05cdf0709db6537d058bcab6dd6e2dbe', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/translation-contracts', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation-implementation' => array('dev_requirement' => false, 'provided' => array(0 => '2.3')), 'wearerequired/wp-requirements-check' => array('pretty_version' => '1.1.0', 'version' => '1.1.0.0', 'reference' => '82b8a6c4b953f59e7e534df2d4287e34af950812', 'type' => 'library', 'install_path' => __DIR__ . '/../wearerequired/wp-requirements-check', 'aliases' => array(), 'dev_requirement' => false), 'wp-user-manager/wp-notices' => array('pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => '5498f209c6667e88e944194a93a50f9ffc25ea24', 'type' => 'library', 'install_path' => __DIR__ . '/../wp-user-manager/wp-notices', 'aliases' => array(0 => '9999999-dev'), 'dev_requirement' => false), 'wp-user-manager/wp-optionskit' => array('pretty_version' => '1.1.2', 'version' => '1.1.2.0', 'reference' => '6253bda447991733bf8e19cb2123b41c666f3d62', 'type' => 'library', 'install_path' => __DIR__ . '/../wp-user-manager/wp-optionskit', 'aliases' => array(), 'dev_requirement' => false), 'wp-user-manager/wp-user-manager' => array('pretty_version' => 'v2.9.17', 'version' => '2.9.17.0', 'reference' => 'b10a593d26911a6b552c45451662e436ce778bd0', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev_requirement' => false), 'wp-user-manager/wpum-blocks' => array('pretty_version' => '1.15', 'version' => '1.15.0.0', 'reference' => 'fc3d01fe0baa2fb0fdf6a0f4cff30fc40bb1dbba', 'type' => 'library', 'install_path' => __DIR__ . '/../wp-user-manager/wpum-blocks', 'aliases' => array(), 'dev_requirement' => false), 'wpbp/widgets-helper' => array('pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => '5547acaaf60b856b0025cdf44e3831e0f3202929', 'type' => 'library', 'install_path' => __DIR__ . '/../wpbp/widgets-helper', 'aliases' => array(), 'dev_requirement' => false)));
+return array('root' => array('name' => 'wp-user-manager/wp-user-manager', 'pretty_version' => 'v2.9.18', 'version' => '2.9.18.0', 'reference' => '64c9e1e2bdcef87d738e1a533c5d4f1bfdcd74ba', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev' => false), 'versions' => array('brain/cortex' => array('pretty_version' => 'dev-refactoring-fastroute', 'version' => 'dev-refactoring-fastroute', 'reference' => '86bec053ec2c4d2e4c75af64e0cee951d9b0054b', 'type' => 'library', 'install_path' => __DIR__ . '/../brain/cortex', 'aliases' => array(0 => '9999999-dev'), 'dev_requirement' => false), 'composer/installers' => array('pretty_version' => '1.x-dev', 'version' => '1.9999999.9999999.9999999-dev', 'reference' => 'd20a64ed3c94748397ff5973488761b22f6d3f19', 'type' => 'composer-plugin', 'install_path' => __DIR__ . '/./installers', 'aliases' => array(), 'dev_requirement' => false), 'dompdf/dompdf' => array('pretty_version' => 'v2.0.2', 'version' => '2.0.2.0', 'reference' => 'ad4c631bf8897fc1ca7b566468a969cfd71a558a', 'type' => 'library', 'install_path' => __DIR__ . '/../dompdf/dompdf', 'aliases' => array(), 'dev_requirement' => false), 'gamajo/template-loader' => array('pretty_version' => '1.3.1', 'version' => '1.3.1.0', 'reference' => 'fa92a37b780d945463f7fea328dce14933558752', 'type' => 'library', 'install_path' => __DIR__ . '/../gamajo/template-loader', 'aliases' => array(), 'dev_requirement' => false), 'htmlburger/carbon-fields' => array('pretty_version' => 'v3.6.9', 'version' => '3.6.9.0', 'reference' => 'f82e80e3e3469d6e86cc17a8950b918ad448a059', 'type' => 'library', 'install_path' => __DIR__ . '/../htmlburger/carbon-fields', 'aliases' => array(), 'dev_requirement' => false), 'masterminds/html5' => array('pretty_version' => '2.7.6', 'version' => '2.7.6.0', 'reference' => '897eb517a343a2281f11bc5556d6548db7d93947', 'type' => 'library', 'install_path' => __DIR__ . '/../masterminds/html5', 'aliases' => array(), 'dev_requirement' => false), 'nesbot/carbon' => array('pretty_version' => '2.66.0', 'version' => '2.66.0.0', 'reference' => '496712849902241f04902033b0441b269effe001', 'type' => 'library', 'install_path' => __DIR__ . '/../nesbot/carbon', 'aliases' => array(), 'dev_requirement' => false), 'nikic/fast-route' => array('pretty_version' => 'v0.7.0', 'version' => '0.7.0.0', 'reference' => '8164b4a0d8afde4eae5f1bfc39084972ba23ad36', 'type' => 'library', 'install_path' => __DIR__ . '/../nikic/fast-route', 'aliases' => array(), 'dev_requirement' => false), 'phenx/php-font-lib' => array('pretty_version' => '0.5.4', 'version' => '0.5.4.0', 'reference' => 'dd448ad1ce34c63d09baccd05415e361300c35b4', 'type' => 'library', 'install_path' => __DIR__ . '/../phenx/php-font-lib', 'aliases' => array(), 'dev_requirement' => false), 'phenx/php-svg-lib' => array('pretty_version' => '0.5.0', 'version' => '0.5.0.0', 'reference' => '76876c6cf3080bcb6f249d7d59705108166a6685', 'type' => 'library', 'install_path' => __DIR__ . '/../phenx/php-svg-lib', 'aliases' => array(), 'dev_requirement' => false), 'psr/http-message' => array('pretty_version' => '1.0.1', 'version' => '1.0.1.0', 'reference' => 'f6561bf28d520154e4b0ec72be95418abe6d9363', 'type' => 'library', 'install_path' => __DIR__ . '/../psr/http-message', 'aliases' => array(), 'dev_requirement' => false), 'roundcube/plugin-installer' => array('dev_requirement' => false, 'replaced' => array(0 => '*')), 'sabberworm/php-css-parser' => array('pretty_version' => '8.4.0', 'version' => '8.4.0.0', 'reference' => 'e41d2140031d533348b2192a83f02d8dd8a71d30', 'type' => 'library', 'install_path' => __DIR__ . '/../sabberworm/php-css-parser', 'aliases' => array(), 'dev_requirement' => false), 'shama/baton' => array('dev_requirement' => false, 'replaced' => array(0 => '*')), 'stripe/stripe-php' => array('pretty_version' => 'v10.5.0', 'version' => '10.5.0.0', 'reference' => '331415b232d60d7c0449de7bde4cb7d4fedf982e', 'type' => 'library', 'install_path' => __DIR__ . '/../stripe/stripe-php', 'aliases' => array(), 'dev_requirement' => false), 'symfony/deprecation-contracts' => array('pretty_version' => 'v2.5.2', 'version' => '2.5.2.0', 'reference' => 'e8b495ea28c1d97b5e0c121748d6f9b53d075c66', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/deprecation-contracts', 'aliases' => array(), 'dev_requirement' => false), 'symfony/polyfill-mbstring' => array('pretty_version' => 'v1.26.0', 'version' => '1.26.0.0', 'reference' => '9344f9cb97f3b19424af1a21a3b0e75b0a7d8d7e', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/polyfill-mbstring', 'aliases' => array(), 'dev_requirement' => false), 'symfony/polyfill-php80' => array('pretty_version' => 'v1.26.0', 'version' => '1.26.0.0', 'reference' => 'cfa0ae98841b9e461207c13ab093d76b0fa7bace', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/polyfill-php80', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation' => array('pretty_version' => 'v5.4.11', 'version' => '5.4.11.0', 'reference' => '7a1a8f6bbff269f434a83343a0a5d36a4f8cfa21', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/translation', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation-contracts' => array('pretty_version' => 'v2.5.2', 'version' => '2.5.2.0', 'reference' => '136b19dd05cdf0709db6537d058bcab6dd6e2dbe', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/translation-contracts', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation-implementation' => array('dev_requirement' => false, 'provided' => array(0 => '2.3')), 'wearerequired/wp-requirements-check' => array('pretty_version' => '1.1.0', 'version' => '1.1.0.0', 'reference' => '82b8a6c4b953f59e7e534df2d4287e34af950812', 'type' => 'library', 'install_path' => __DIR__ . '/../wearerequired/wp-requirements-check', 'aliases' => array(), 'dev_requirement' => false), 'wp-user-manager/wp-notices' => array('pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => '5498f209c6667e88e944194a93a50f9ffc25ea24', 'type' => 'library', 'install_path' => __DIR__ . '/../wp-user-manager/wp-notices', 'aliases' => array(0 => '9999999-dev'), 'dev_requirement' => false), 'wp-user-manager/wp-optionskit' => array('pretty_version' => '1.1.2', 'version' => '1.1.2.0', 'reference' => '6253bda447991733bf8e19cb2123b41c666f3d62', 'type' => 'library', 'install_path' => __DIR__ . '/../wp-user-manager/wp-optionskit', 'aliases' => array(), 'dev_requirement' => false), 'wp-user-manager/wp-user-manager' => array('pretty_version' => 'v2.9.18', 'version' => '2.9.18.0', 'reference' => '64c9e1e2bdcef87d738e1a533c5d4f1bfdcd74ba', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev_requirement' => false), 'wp-user-manager/wpum-blocks' => array('pretty_version' => '1.15', 'version' => '1.15.0.0', 'reference' => 'fc3d01fe0baa2fb0fdf6a0f4cff30fc40bb1dbba', 'type' => 'library', 'install_path' => __DIR__ . '/../wp-user-manager/wpum-blocks', 'aliases' => array(), 'dev_requirement' => false), 'wpbp/widgets-helper' => array('pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => '5547acaaf60b856b0025cdf44e3831e0f3202929', 'type' => 'library', 'install_path' => __DIR__ . '/../wpbp/widgets-helper', 'aliases' => array(), 'dev_requirement' => false)));
--- a/wp-user-manager/wp-user-manager.php
+++ b/wp-user-manager/wp-user-manager.php
@@ -3,7 +3,7 @@
  * Plugin Name: WP User Manager
  * Plugin URI:  https://wpusermanager.com
  * Description: Beautifully simple user profile directories with frontend login, registration and account customization. WP User Manager is the best solution to manage your community and your users for WordPress.
- * Version: 2.9.17
+ * Version: 2.9.18
  * Requires PHP: 7.4
  * Author:      WP User Manager
  * Author URI:  https://wpusermanager.com
@@ -21,7 +21,7 @@
 function WPUM() {
 	require_once __DIR__ . '/includes/class-wp-user-manager.php';

-	return WP_User_Manager::instance( __FILE__, '2.9.17' );
+	return WP_User_Manager::instance( __FILE__, '2.9.18' );
 }

 WPUM();

Frequently Asked Questions

What is CVE-2026-9290?
Overview of the vulnerability
CVE-2026-9290 is a high-severity vulnerability in the WP User Manager plugin for WordPress, affecting versions up to and including 2.9.17. It allows unauthenticated attackers to exploit a Local File Inclusion (LFI) flaw via the ‘tab’ query parameter, potentially leading to arbitrary PHP file execution.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the plugin’s failure to validate the ‘tab’ query parameter against a list of registered tabs. An attacker can craft a request that includes path traversal sequences, allowing them to include sensitive files or execute arbitrary PHP code on the server.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress installation using the WP User Manager plugin version 2.9.17 or earlier is at risk. Administrators should check their plugin version in the WordPress dashboard to determine if they are affected.
How can I check if my site is vulnerable?
Version verification steps
To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin panel. Look for the WP User Manager plugin and verify its version. If it is 2.9.17 or lower, your site is vulnerable.
What should I do to fix this vulnerability?
Steps for remediation
To mitigate this vulnerability, you should update the WP User Manager plugin to version 2.9.18 or later, where the issue has been patched. Regularly updating all plugins and themes is a best practice for maintaining site security.
What is the risk level of CVE-2026-9290?
Understanding the CVSS score
CVE-2026-9290 has a CVSS score of 7.5, indicating a high severity level. This means that successful exploitation could lead to significant risks, including unauthorized access to sensitive data and the potential for complete site compromise.
What does the proof of concept (PoC) demonstrate?
Illustration of the vulnerability
The proof of concept demonstrates how an attacker can exploit the vulnerability by crafting a request that includes a malicious ‘tab’ parameter. For example, a request like ‘/account/?tab=../../../../wp-config.php’ attempts to include the WordPress configuration file, showcasing the risk of arbitrary file inclusion.
Can this vulnerability be exploited without authentication?
Unauthenticated access
Yes, this vulnerability can be exploited by unauthenticated attackers, meaning that no user login is required to execute the attack. This increases the risk significantly, as it can be targeted by anyone on the internet.
What are the potential consequences of exploitation?
Impact of successful attacks
If successfully exploited, an attacker could read sensitive files such as the wp-config.php file, which contains database credentials. They could also upload malicious PHP files and execute them, leading to full control over the affected WordPress site.
How does the patch address the vulnerability?
Changes made in the updated version
The patch for CVE-2026-9290 includes validation of the ‘tab’ parameter against a list of registered tabs. This prevents the inclusion of arbitrary files by ensuring that only valid tab values are processed, effectively mitigating the path traversal issue.
What additional security measures should I consider?
Best practices for WordPress security
In addition to updating the plugin, consider implementing security measures such as using a web application firewall, regularly monitoring your site for suspicious activity, and conducting security audits. Keeping all software up to date is crucial for maintaining security.
Where can I find more information about CVE-2026-9290?
Resources for further reading
For more detailed information about CVE-2026-9290, you can refer to the official CVE database or security advisories related to the WP User Manager plugin. Security blogs and forums may also provide insights and discussions regarding this vulnerability.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations