Platform
wordpress
Component
user-meta
Fixed in
3.1.3
CVE-2025-9693 describes an arbitrary file access vulnerability discovered in the User Meta – User Profile Builder and User management plugin for WordPress. This vulnerability allows authenticated attackers, with Subscriber-level access or higher, to delete arbitrary files on the server. Successful exploitation could lead to remote code execution, particularly if critical files like wp-config.php are deleted, compromising the entire WordPress installation. The vulnerability impacts versions 0.0.0 through 3.1.2, and a fix is available in version 3.1.3.
The primary impact of CVE-2025-9693 is the potential for remote code execution. By leveraging insufficient file path validation in the postInsertUserProcess function, an attacker can delete any file accessible to the web server process. The most critical scenario involves deleting wp-config.php, which contains sensitive database credentials and configuration settings. Deletion of this file effectively disables the WordPress site and allows the attacker to potentially gain control of the database and server. Beyond wp-config.php, deletion of other configuration files or core WordPress files could also lead to significant system compromise. The ease of exploitation, requiring only Subscriber-level access, significantly broadens the attack surface.
CVE-2025-9693 was publicly disclosed on 2025-09-11. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the ease of exploitation and the potential for RCE. The relatively low access requirements (Subscriber role) suggest a higher probability of exploitation in the wild, particularly on vulnerable WordPress installations with weak security configurations.
Exploit Status
EPSS
0.16% (37% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-9693 is to immediately upgrade the User Meta – User Profile Builder and User management plugin to version 3.1.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting file permissions on the WordPress server to minimize the potential impact of file deletion. Implement a Web Application Firewall (WAF) with rules to block suspicious file deletion attempts targeting the plugin's endpoints. Regularly review WordPress user roles and permissions to ensure the principle of least privilege is enforced. Monitor WordPress logs for unusual file deletion activity. There are no specific Sigma or YARA rules available at this time, but monitoring file system changes is crucial.
Actualice el plugin User Meta – User Profile Builder and User management plugin a la versión 3.1.3 o superior para mitigar la vulnerabilidad de eliminación arbitraria de archivos. Esta actualización corrige la falta de validación adecuada de las rutas de los archivos, previniendo que atacantes autenticados eliminen archivos sensibles en el servidor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-9693 is a vulnerability in the User Meta plugin for WordPress allowing authenticated users to delete arbitrary files, potentially leading to remote code execution.
You are affected if your WordPress site uses the User Meta plugin in versions 0.0.0 through 3.1.2.
Upgrade the User Meta plugin to version 3.1.3 or later to resolve the vulnerability.
While no active exploitation has been confirmed, the ease of exploitation suggests a high probability of exploitation in the wild.
Refer to the plugin developer's website or WordPress.org plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.