CVE Alert: CVE-2025-9693 - khaledsaikat - User Meta – User Profile Builder and User management plugin

CVE-2025-9693

HIGHNo exploitation known

The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the postInsertUserProcess function in all versions up to, and including, 3.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CVSS v3.1 (8)

Vendor

khaledsaikat

Product

User Meta – User Profile Builder and User management plugin

Versions

* lte 3.1.2

CWE

CWE-22, CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Published

2025-09-11T07:25:00.225Z

Updated

2025-09-11T07:25:00.225Z

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/d482f3a1-4a5a-4382-88b1-fd3b91605694?source=cve

https://plugins.trac.wordpress.org/browser/user-meta/tags/3.1.2/models/classes/UserInsert.php#L642

AI Summary Analysis

Risk verdict

Why this matters

Most likely attack path

Who is most exposed

Detection ideas

Monitor for authenticated file-deletion events from web server logs tied to user actions, especially from Subscriber+ roles.
Look for atypical file-delete attempts outside permitted directories, including path traversal-like patterns (../../, etc.).
Audit access- and error-logs around file-system operations following user management events in the plugin.
Alert on repeated delete requests targeting configuration or core PHP files.
Verify plugin version and update activity to identify known-broken instances.

Mitigation and prioritisation

Patch or upgrade to the fixed release; if unavailable, disable or remove the plugin or restrict Subscriber+ capabilities.
Enforce least privilege; restrict file-delete permissions for non-admin roles.
Enable WAF/IPS rules to block path traversal indicators and anomalous file operations.
Implement robust backups with tested restore procedures and verify integrity after admin actions.
Incorporate change-management notes for the upgrade and monitor for post-patch anomalies.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: CVE, cve-2025-9693, khaledsaikat, OSINT, threatintel, user-meta-user-profile-builder-and-user-management-plugin