Skip to main content
CVE Vulnerability Database

CVE-2025-9693: User Meta WordPress Path Traversal Flaw

CVE-2025-9693 is a path traversal vulnerability in the User Meta WordPress plugin that enables arbitrary file deletion and potential remote code execution. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-9693 Overview

CVE-2025-9693 is an arbitrary file deletion vulnerability in the User Meta – User Profile Builder and User Management WordPress plugin. The flaw affects all versions up to and including 3.1.2. The vulnerability stems from insufficient file path validation in the postInsertUserProcess function. Authenticated attackers with Subscriber-level access or higher can delete arbitrary files on the server. Deleting critical files such as wp-config.php can trigger WordPress reinstallation flows, enabling remote code execution. The weakness is classified under CWE-22 Path Traversal.

Critical Impact

Authenticated Subscriber-level attackers can delete arbitrary server files, leading to remote code execution when sensitive configuration files like wp-config.php are targeted.

Affected Products

  • User Meta – User Profile Builder and User Management plugin for WordPress
  • All plugin versions up to and including 3.1.2
  • WordPress sites permitting Subscriber-level registration

Discovery Timeline

  • 2025-09-11 - CVE-2025-9693 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-9693

Vulnerability Analysis

The User Meta plugin processes user profile updates through the postInsertUserProcess function defined in models/classes/UserInsert.php. This function handles file-related operations associated with custom user profile fields. The implementation fails to validate file paths supplied during the user insertion workflow. Attackers can supply traversal sequences that resolve outside the intended upload directory. The plugin then performs deletion against the attacker-controlled path. Because the function runs in the context of authenticated users, any account with Subscriber-level access or above can trigger deletion. Deleting wp-config.php causes WordPress to enter its setup state, allowing an attacker to point the installation at a database under their control and achieve remote code execution.

Root Cause

The root cause is missing path sanitization and canonicalization within the postInsertUserProcess function. The plugin trusts user-supplied file references without confirming they reside within an allowed directory. No allow-listing, realpath resolution, or boundary check prevents directory traversal sequences from escaping the upload directory.

Attack Vector

Exploitation requires an authenticated session at Subscriber level or higher and user interaction. The attacker submits a crafted profile-update request that references a file path outside the plugin's intended scope. The vulnerable function processes the request and removes the target file. See the WordPress User Insert Code and the Wordfence Vulnerability Report for source-level details.

Detection Methods for CVE-2025-9693

Indicators of Compromise

  • Unexpected deletion of wp-config.php or other core WordPress files on disk
  • WordPress installation entering the initial setup wizard on a previously configured site
  • Profile update or registration requests from low-privilege accounts containing ../ traversal sequences in file-related parameters
  • New administrator accounts created shortly after a missing wp-config.php event

Detection Strategies

  • Monitor POST requests to plugin endpoints invoking postInsertUserProcess for traversal patterns in file parameters
  • Audit web server logs for Subscriber-level accounts performing profile actions referencing files outside the uploads directory
  • Use file integrity monitoring on the WordPress root, wp-content, and wp-includes directories

Monitoring Recommendations

  • Enable WordPress audit logging for user profile changes and plugin actions
  • Alert on deletion events involving wp-config.php, .htaccess, and PHP files in the WordPress root
  • Track creation of new admin accounts following file deletion events to identify post-exploitation activity

How to Mitigate CVE-2025-9693

Immediate Actions Required

  • Update the User Meta plugin to a release later than 3.1.2 once the vendor publishes a patched version
  • Restrict new user registration or limit Subscriber-role capabilities until patching is complete
  • Back up wp-config.php and database credentials and store them outside the web root where supported
  • Review user accounts and remove unrecognized Subscriber-level registrations

Patch Information

The vulnerability affects all versions through 3.1.2. Administrators should consult the Wordfence Vulnerability Report for the fixed version and apply the update through the WordPress plugin manager.

Workarounds

  • Deactivate the User Meta plugin until a patched version is installed
  • Disable open user registration in WordPress general settings
  • Apply a Web Application Firewall rule to block requests containing ../ sequences in User Meta plugin parameters
  • Set restrictive file system permissions so the web server user cannot delete files outside the uploads directory
bash
# Configuration example: restrict permissions on wp-config.php
chown root:www-data /var/www/html/wp-config.php
chmod 640 /var/www/html/wp-config.php

# Disable open registration via wp-cli
wp option update users_can_register 0

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.