How is CVE-2026-49766 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS. Authentication (required): A low-privilege subscriber-level account is sufficient; no administrative or elevated role is needed. Victim interaction (not-required): The attacker can trigger file deletion entirely on their own without any action from another user or an administrator. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions or special environmental setup are required.

What is the impact of CVE-2026-49766?

Deletes arbitrary files on the server filesystem, including wp-config.php, forcing a WordPress reinstallation flow that an attacker can hijack to gain full administrative control. Removes theme, plugin, or upload files, causing immediate site outage and potential permanent data loss for stored media and assets. Eliminates security-sensitive files such as .htaccess rules or certificate material, stripping server-level access controls and exposing additional attack surface. Because the CVSS scope is Changed, impact can extend beyond the WordPress application itself to other services or files sharing the same server filesystem.

Back to search

CRITICALCVE-2026-49766Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-49766: WordPress WP User Manager plugin <= 2.9.16 - Arbitrary File Deletion vulnerability

Q: What is CVE-2026-49766?

An arbitrary file deletion vulnerability affects the WP User Manager WordPress plugin in versions 2.9.16 and below. The flaw is reachable over the network by any authenticated user holding a subscriber-level account, with no additional privileges or victim interaction required. Successful exploitation lets an attacker delete arbitrary files on the server, which in practice enables complete site takeover by removing critical WordPress configuration files and triggering a reinstallation flow. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-49766 patched?

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version is available.

Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions.

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An arbitrary file deletion vulnerability affects the WP User Manager WordPress plugin in versions 2.9.16 and below. The flaw is reachable over the network by any authenticated user holding a subscriber-level account, with no additional privileges or victim interaction required. Successful exploitation lets an attacker delete arbitrary files on the server, which in practice enables complete site takeover by removing critical WordPress configuration files and triggering a reinstallation flow. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-49766 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images in connected registries and CI/CD pipelines. Coverage extends to custom-built images that bundle WP User Manager, not just official upstream images.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 9.9 (Critical) and applying per-environment compliance policy weighting to determine escalation urgency. Triage routing is available to direct the alert to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS.
AuthenticationRequired
A low-privilege subscriber-level account is sufficient; no administrative or elevated role is needed.
Victim interactionNot required
The attacker can trigger file deletion entirely on their own without any action from another user or an administrator.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions or special environmental setup are required.

Blast Radius

Deletes arbitrary files on the server filesystem, including wp-config.php, forcing a WordPress reinstallation flow that an attacker can hijack to gain full administrative control.
Removes theme, plugin, or upload files, causing immediate site outage and potential permanent data loss for stored media and assets.
Eliminates security-sensitive files such as .htaccess rules or certificate material, stripping server-level access controls and exposing additional attack surface.
Because the CVSS scope is Changed, impact can extend beyond the WordPress application itself to other services or files sharing the same server filesystem.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-49766 exists as of the publication date, HarborGuard continuously re-checks the Patchstack advisory on every ingest cycle and will surface a patched-image rebuild the moment a remediated version of WP User Manager is released. In the interim, compensating controls are worth considering: network-policy isolation that restricts who can reach the WordPress instance, egress filtering to limit what the web process can touch on the filesystem, and disabling subscriber-level self-registration if it is not a required feature. Where compliance policy permits, customers with auto-remediation enabled will receive an automatic rebuild, regression test run, and a PR opened against affected workloads as soon as a fix version is published upstream, with median time from CVE publication to merged patch PR for critical-severity issues around 90 minutes under that configuration.

See how HarborGuard automates this

Affected packages

WP User Manager / WP User Manager
≤ 2.9.16

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified