What the vulnerability does
01Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0.
Explanation of Vulnerability in Simple Terms
02Summary
User Extra Fields versions 17.0 and earlier contain a path traversal vulnerability that allows authenticated users to cause a denial of service by disrupting site availability. An attacker with low-level account access can exploit this flaw without user interaction. The vulnerability affects the entire site scope, making it a significant availability risk for multi-user installations.
What an attacker can do
03Attacker Capabilities
Disrupt site availability through a path traversal attack that impacts the entire application.
Potential impact on your site
04Site Impact
Site availability can be disrupted by authenticated users with low-level accounts, affecting all users.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account; no user interaction required.
Key dates
06Disclosure timeline
February 20, 2026
CVE published
April 28, 2026
Record updated