Login Sign Up

CVE-2025-13320

6.8 MEDIUM
Path Traversal

📋 TL;DR

The WP User Manager WordPress plugin has an arbitrary file deletion vulnerability that allows authenticated attackers with Subscriber-level access or higher to delete arbitrary files on the server. This occurs due to insufficient validation of user-supplied file paths in profile update functionality combined with improper handling of array inputs by PHP's filter_input() function. The vulnerability only affects sites with custom avatar settings enabled.

💻 Affected Systems

Products:
  • WP User Manager WordPress Plugin
Versions: All versions up to and including 2.9.12
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when custom avatar setting is enabled in plugin configuration

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could delete critical system files, leading to complete site compromise, remote code execution, or denial of service.

🟠

Likely Case

Attackers delete WordPress core files, plugin files, or configuration files causing site disruption and potential data loss.

🟢

If Mitigated

With proper file permissions and monitoring, impact is limited to non-critical files in web-accessible directories.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires authenticated access (Subscriber-level or higher) and custom avatar setting enabled

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.9.13 or later

Vendor Advisory: https://wordpress.org/plugins/wp-user-manager/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find WP User Manager plugin
4. Click 'Update Now' if update available
5. Alternatively, download version 2.9.13+ from WordPress.org and replace plugin files

🔧 Temporary Workarounds

Disable Custom Avatar Setting

all

Temporarily disable the vulnerable feature until patched

Restrict File Permissions

linux

Set restrictive permissions on critical directories

chmod 755 /var/www/html/wp-content/uploads
chmod 644 /var/www/html/wp-config.php

🧯 If You Can't Patch

  • Disable WP User Manager plugin completely
  • Implement strict file integrity monitoring and alerting

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > WP User Manager version. If version is 2.9.12 or lower and custom avatar setting is enabled, system is vulnerable.

Check Version:

wp plugin list --name=wp-user-manager --field=version

Verify Fix Applied:

Verify plugin version is 2.9.13 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file deletion events in web server logs
  • Multiple failed file operations from single user
  • POST requests to profile update endpoints with unusual file paths

Network Indicators:

  • HTTP POST requests containing 'current_user_avatar' parameter with path traversal sequences

SIEM Query:

source="web_server" action="DELETE" OR (method="POST" AND uri="*/profile/*" AND params CONTAINS "current_user_avatar")

📊 Metadata

CVE ID: CVE-2025-13320
CVSS v3 Score: 6.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-73
EPSS Score: 0.25% exploit probability (47.7th percentile)
Published: December 12, 2025
Last Updated: December 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13320, you might also want to check these:

CVE-2026-27211 10.0

Cloud Hypervisor versions 34.0 through 50.0 are vulnerable to host file exfiltration when using virt...

Same vulnerability type (CWE-73)
CVE-2024-55371 9.8

Wallos versions up to 2.38.2 contain a file upload vulnerability in the restore backup function that...

Same vulnerability type (CWE-73)
CVE-2025-29708 9.8

SourceCodester Company Website CMS 1.0 contains an unauthenticated file upload vulnerability in the ...

Same vulnerability type (CWE-73)