What the vulnerability does
01Description
Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
What the vulnerability does
Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions.
Explanation of Vulnerability in Simple Terms
WP User Manager versions up to 2.9.16 contain a path traversal vulnerability that allows authenticated users to read, modify, or delete arbitrary files on the server. An attacker with low-level site access can bypass file restrictions and access sensitive data outside the intended directories. This affects confidentiality, integrity, and availability of the entire site.
What an attacker can do
Read, modify, or delete arbitrary files on the server outside intended directories.
Potential impact on your site
Attackers with basic site access can compromise site files, steal configuration data, or disable the site entirely.
Conditions required to exploit
Attacker must have a low-privilege user account on the site (e.g., subscriber or contributor role).
Key dates
External resources
Related vulnerabilities