Vulnerability Description
The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs by PHP's filter_input() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server via the 'current_user_avatar' parameter in a two-stage attack which can make remote code execution possible. This only affects sites with the custom avatar setting enabled.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.12/includes/
- https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.12/includes/
- https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.12/includes/
- https://plugins.trac.wordpress.org/browser/wp-user-manager/trunk/includes/forms/
- https://plugins.trac.wordpress.org/browser/wp-user-manager/trunk/includes/forms/
- https://plugins.trac.wordpress.org/browser/wp-user-manager/trunk/includes/forms/
- https://plugins.trac.wordpress.org/changeset/3420956/wp-user-manager/trunk/inclu
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9d8304bf-bec2-4fcf-9fe
FAQ
What is CVE-2025-13320?
CVE-2025-13320 is a vulnerability with a CVSS score of 6.8 (MEDIUM). The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in th...
How severe is CVE-2025-13320?
CVE-2025-13320 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-13320?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.