CVE-2026-49766 WP User Manager CVE debrief

Who should care

Administrators and security teams responsible for WordPress installations using the WP User Manager plugin, especially those allowing subscriber registrations, should be aware of this vulnerability and take immediate action to mitigate the risk.

Technical summary

The vulnerability is characterized by an improper handling of file deletion operations within the WP User Manager plugin. Specifically, it allows users with subscriber-level privileges to delete files anywhere on the server that the web server has permission to access. This could include sensitive configuration files, .htaccess files, or even files containing sensitive data.

Defensive priority

High

Recommended defensive actions

• Update the WP User Manager plugin to a version that fixes this vulnerability (version > 2.9.16).
• Review server logs for any suspicious file deletion activities.
• Consider temporarily restricting file deletion capabilities for subscriber accounts until the update can be applied.
• Monitor the plugin's changelog and security advisories for any related updates or patches.

Evidence notes

Evidence of this vulnerability and its impact can be found in the CVE record and related security advisories. The CVSS score of 9.9 indicates a critical severity level, emphasizing the urgent need for remediation.

Official resources