How is CVE-2026-9290 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the WordPress instance. Authentication (not-required): No account or credentials of any kind are needed to trigger the path traversal and file inclusion. Victim interaction (not-required): The attacker can exploit this vulnerability autonomously without any action from a user or administrator. Attack complexity (info): Exploit conditions are straightforward and reliable; no race conditions or special environmental factors need to be satisfied.

What is the impact of CVE-2026-9290?

An attacker can read arbitrary PHP files on the server, including configuration files that contain database credentials and secret keys. If the attacker can upload a PHP file anywhere on the server (via any upload mechanism), they can include and execute it, achieving full remote code execution. Execution of included PHP files can be used to create or modify WordPress administrator accounts, bypassing all access controls. Sensitive data such as stored user records, hashed passwords, and API tokens held in the database or on the filesystem becomes readable.

Back to search

HIGHCVE-2026-9290Published 2026-06-05Modified 2026-06-05CNA Wordfence

CVE-2026-9290: WP User Manager <= 2.9.17 - Unauthenticated Path Traversal to Local File Inclusion via 'tab' Query Parameter

Q: What is CVE-2026-9290?

Local File Inclusion (LFI) via path traversal in the WP User Manager plugin for WordPress (versions up to and including 2.9.17) allows an unauthenticated remote attacker to include and execute arbitrary PHP files on the server through the 'tab' query parameter. The vulnerability is reachable over the network with no credentials required and no victim interaction needed. Successful exploitation enables an attacker to read sensitive data, bypass access controls, or achieve remote code execution if a PHP file can be uploaded to the server. No upstream fix has been published; HarborGuard tracks the advisory for patch availability.

Q: Is CVE-2026-9290 patched?

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the vendor ships a remediated version. In the interim, customers with network-isolation or compensating-control policies can use HarborGuard's policy engine to flag or block deployment of affected images.

The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the (profile template scope) function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Local File Inclusion (LFI) via path traversal in the WP User Manager plugin for WordPress (versions up to and including 2.9.17) allows an unauthenticated remote attacker to include and execute arbitrary PHP files on the server through the 'tab' query parameter. The vulnerability is reachable over the network with no credentials required and no victim interaction needed. Successful exploitation enables an attacker to read sensitive data, bypass access controls, or achieve remote code execution if a PHP file can be uploaded to the server. No upstream fix has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-9290 is available across every HarborGuard environment. Images containing WP User Manager at version 2.9.17 or earlier are matched against this CVE within minutes of publication, including custom-built WordPress images that bundle the plugin directly.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 (HIGH) based on the published v3.1 vector and weights it against each customer environment's compliance policy. Triage findings are routed to the appropriate team inbox within the customer org for prioritization.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the vendor ships a remediated version. In the interim, customers with network-isolation or compensating-control policies can use HarborGuard's policy engine to flag or block deployment of affected images.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the WordPress instance.
AuthenticationNot required
No account or credentials of any kind are needed to trigger the path traversal and file inclusion.
Victim interactionNot required
The attacker can exploit this vulnerability autonomously without any action from a user or administrator.
Attack complexityDetail
Exploit conditions are straightforward and reliable; no race conditions or special environmental factors need to be satisfied.

Blast Radius

An attacker can read arbitrary PHP files on the server, including configuration files that contain database credentials and secret keys.
If the attacker can upload a PHP file anywhere on the server (via any upload mechanism), they can include and execute it, achieving full remote code execution.
Execution of included PHP files can be used to create or modify WordPress administrator accounts, bypassing all access controls.
Sensitive data such as stored user records, hashed passwords, and API tokens held in the database or on the filesystem becomes readable.

How HarborGuard Handles This

Available on HarborGuard: any image found to contain WP User Manager at version 2.9.17 or earlier is flagged as HIGH severity and surfaced in the affected customer environment's vulnerability dashboard immediately upon CVE ingestion. Because no upstream patch exists as of the publication date of this advisory, HarborGuard monitors the Wordfence advisory feed and the WordPress plugin repository on every ingest cycle; a patched-image rebuild will become available automatically the moment an upstream fix is published. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will trigger without manual intervention once a fix version is released. In the interim, compensating controls are strongly recommended: use WordPress server network policies to restrict inbound HTTP access to known IP ranges, disable or remove WP User Manager from any publicly accessible installation until a patch is available, and audit server upload directories to ensure no attacker-controlled PHP files are present, since the LFI primitive becomes RCE only when a writable upload path exists.

See how HarborGuard automates this

Affected packages

wpusermanager / WP User Manager – User Profile Builder & Membership
≤ 2.9.17

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Metrics

Get notified