External risk intelligence

WP User Manager Arbitrary File Deletion Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-49766

A critical vulnerability in WP User Manager allows authenticated users to delete arbitrary files on a server, potentially leading to data loss or system compromise. This flaw exists in versions prior to 2.9.16 and is a concern due to the plugin's common use in WordPress sites. The primary concern is confirming the plug

4Halo Surface Signal

Path Traversal

External exposure likelihood

Halo Surface Signal score for CVE-2026-49766

The vulnerability exists in a WordPress plugin. WordPress sites are commonly deployed as public-facing web applications, making the plugin's functionality and its associated attack surface typically reachable from the internet.

PCI scan relevance

PCI Relevance for CVE-2026-49766

Yes

CVE-2026-49766 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This arbitrary file deletion vulnerability in WP User Manager could lead to a PCI ASV scan failure due to its potential impact on system integrity and availability.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory highlights a critical vulnerability in a widely used WordPress plugin that could allow unauthorized users to delete files on a server. While the specific impact depends on its presence and configuration within your environment, such a flaw could potentially compromise system integrity and lead to data loss if exploited. Confirming relevance and exposure is the primary concern at this stage.

Allows unauthorized file deletion.
Matters due to plugin's common use.
Confirm relevance and exposure.

Attack Path

How an attacker could exploit the issue

An attacker with low-privileged access could exploit this vulnerability to delete arbitrary files on the server. This could occur if the attacker interacts with a specific feature within the WP User Manager plugin that fails to properly validate file paths. Successful exploitation could lead to significant data loss or system compromise.

Requires authenticated access.
Triggered by file path manipulation.
Leads to arbitrary file deletion.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an authenticated subscriber to delete arbitrary files on a WordPress site, when supported by the advisory. This could impact the site's availability and integrity.

System files on the server.
Unauthorized deletion of files.
Site disruption and data loss.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in WP User Manager requires action from teams managing WordPress sites. The first practical step is to identify all instances of the affected plugin, confirm their exposure to the internet, and determine which are business-critical. Once ownership is confirmed, a risk-based remediation plan can be developed, potentially involving coordination with the plugin vendor.

Application owners should own this issue.
Verify plugin reachability and business criticality.
Plan remediation based on identified risk.

Frequently asked questions

What is the WP User Manager plugin?

WP User Manager is a WordPress plugin used to manage user registrations, profiles, and access controls on websites. It extends the core capabilities of WordPress by providing custom login forms, user directories, and profile management features, making it a common choice for sites that need enhanced member-focused functionality.

What does arbitrary file deletion mean in CVE-2026-49766?

This vulnerability, classified as CWE-22, involves improper path validation. It means the software fails to check if a file path is allowed, enabling a user to influence which file the system targets. In this context, it allows an unauthorized party to delete files from the server, which could damage the site's functionality or remove critical system data.

Do I need administrative access to trigger this vulnerability?

No, administrative access is not required. The vulnerability can be triggered by a low-privileged user, such as a standard subscriber. It does not trigger if the user lacks an account or if the specific feature responsible for file handling is disabled or not present in your current plugin configuration.

Is my site at risk if it uses WP User Manager?

Halo Surface Signal indicates this is a likely concern because WordPress plugins are typically deployed on internet-facing web applications. Since the plugin is designed to be reachable by site users, the attack surface is generally accessible from the internet, meaning you should verify if your specific instance is exposed.

How should I respond to this threat?

Begin by auditing your environment to identify all instances of the WP User Manager plugin. Determine which sites are business-critical and verify their exposure to the internet. Once you have a clear inventory, prioritize those systems for risk-based updates or configuration changes, coordinating directly with the plugin vendor to secure your installation.

References

patchstack.com/database/wordpress/plugin/wp-user-manager/vulnerabili…

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.