CVE-2025-9693 Overview
CVE-2025-9693 is an arbitrary file deletion vulnerability in the User Meta – User Profile Builder and User Management WordPress plugin. The flaw affects all versions up to and including 3.1.2. The vulnerability stems from insufficient file path validation in the postInsertUserProcess function. Authenticated attackers with Subscriber-level access or higher can delete arbitrary files on the server. Deleting critical files such as wp-config.php can trigger WordPress reinstallation flows, enabling remote code execution. The weakness is classified under CWE-22 Path Traversal.
Critical Impact
Authenticated Subscriber-level attackers can delete arbitrary server files, leading to remote code execution when sensitive configuration files like wp-config.php are targeted.
Affected Products
- User Meta – User Profile Builder and User Management plugin for WordPress
- All plugin versions up to and including 3.1.2
- WordPress sites permitting Subscriber-level registration
Discovery Timeline
- 2025-09-11 - CVE-2025-9693 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-9693
Vulnerability Analysis
The User Meta plugin processes user profile updates through the postInsertUserProcess function defined in models/classes/UserInsert.php. This function handles file-related operations associated with custom user profile fields. The implementation fails to validate file paths supplied during the user insertion workflow. Attackers can supply traversal sequences that resolve outside the intended upload directory. The plugin then performs deletion against the attacker-controlled path. Because the function runs in the context of authenticated users, any account with Subscriber-level access or above can trigger deletion. Deleting wp-config.php causes WordPress to enter its setup state, allowing an attacker to point the installation at a database under their control and achieve remote code execution.
Root Cause
The root cause is missing path sanitization and canonicalization within the postInsertUserProcess function. The plugin trusts user-supplied file references without confirming they reside within an allowed directory. No allow-listing, realpath resolution, or boundary check prevents directory traversal sequences from escaping the upload directory.
Attack Vector
Exploitation requires an authenticated session at Subscriber level or higher and user interaction. The attacker submits a crafted profile-update request that references a file path outside the plugin's intended scope. The vulnerable function processes the request and removes the target file. See the WordPress User Insert Code and the Wordfence Vulnerability Report for source-level details.
Detection Methods for CVE-2025-9693
Indicators of Compromise
- Unexpected deletion of wp-config.php or other core WordPress files on disk
- WordPress installation entering the initial setup wizard on a previously configured site
- Profile update or registration requests from low-privilege accounts containing ../ traversal sequences in file-related parameters
- New administrator accounts created shortly after a missing wp-config.php event
Detection Strategies
- Monitor POST requests to plugin endpoints invoking postInsertUserProcess for traversal patterns in file parameters
- Audit web server logs for Subscriber-level accounts performing profile actions referencing files outside the uploads directory
- Use file integrity monitoring on the WordPress root, wp-content, and wp-includes directories
Monitoring Recommendations
- Enable WordPress audit logging for user profile changes and plugin actions
- Alert on deletion events involving wp-config.php, .htaccess, and PHP files in the WordPress root
- Track creation of new admin accounts following file deletion events to identify post-exploitation activity
How to Mitigate CVE-2025-9693
Immediate Actions Required
- Update the User Meta plugin to a release later than 3.1.2 once the vendor publishes a patched version
- Restrict new user registration or limit Subscriber-role capabilities until patching is complete
- Back up wp-config.php and database credentials and store them outside the web root where supported
- Review user accounts and remove unrecognized Subscriber-level registrations
Patch Information
The vulnerability affects all versions through 3.1.2. Administrators should consult the Wordfence Vulnerability Report for the fixed version and apply the update through the WordPress plugin manager.
Workarounds
- Deactivate the User Meta plugin until a patched version is installed
- Disable open user registration in WordPress general settings
- Apply a Web Application Firewall rule to block requests containing ../ sequences in User Meta plugin parameters
- Set restrictive file system permissions so the web server user cannot delete files outside the uploads directory
# Configuration example: restrict permissions on wp-config.php
chown root:www-data /var/www/html/wp-config.php
chmod 640 /var/www/html/wp-config.php
# Disable open registration via wp-cli
wp option update users_can_register 0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

