CVE-2025-13320 is an Arbitrary File Deletion vulnerability classified under CWE-73, affecting the WP User Manager – User Profile Builder & Membership plugin for WordPress in all versions up to and including 2.9.12. The root cause is insufficient validation of user-supplied file paths in the profile update functionality, specifically involving the 'current_user_avatar' parameter. This is compounded by PHP's filter_input() function improperly handling array inputs, which allows attackers with authenticated access at Subscriber level or higher to manipulate file paths and delete arbitrary files on the server. The vulnerability requires the custom avatar setting to be enabled, which is not enabled by default. The attack is executed in two stages, with the initial file deletion potentially enabling remote code execution, significantly elevating the threat. The CVSS v3.1 score is 6.8 (medium severity), reflecting network attack vector, high complexity, low privileges required, no user interaction, and impact on integrity and availability but not confidentiality. No patches or known exploits have been reported at the time of publication. This vulnerability highlights the risks of insufficient input validation and the dangers of allowing user-controlled file paths in web applications, especially in widely used CMS plugins.

The vulnerability allows attackers with minimal privileges (Subscriber-level) to delete arbitrary files on the web server, which can disrupt website functionality, cause denial of service, or facilitate further attacks such as remote code execution. The potential for remote code execution elevates the risk to critical if exploited, as it could lead to full server compromise, data theft, or use of the server as a pivot point for lateral movement. Organizations running WordPress sites with this plugin and the custom avatar feature enabled are at risk of service disruption and data integrity loss. Given WordPress's widespread use, this vulnerability could affect a large number of websites globally, including e-commerce, membership, and community platforms. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following disclosure. The medium CVSS score reflects the need for timely remediation to prevent escalation.

Organizations should immediately verify if the WP User Manager plugin is installed and check the version; upgrading to a patched version once available is the best mitigation. Until a patch is released, disabling the custom avatar feature will prevent exploitation. Restricting Subscriber-level users from accessing profile update functionalities or limiting file upload capabilities can reduce attack surface. Implementing web application firewall (WAF) rules to detect and block suspicious requests targeting the 'current_user_avatar' parameter can provide temporary protection. Regularly auditing file permissions on the server to minimize damage from arbitrary file deletions and maintaining frequent backups will aid recovery. Monitoring logs for unusual file deletion activities or profile update anomalies is also recommended. Finally, applying the principle of least privilege for user roles and keeping PHP and WordPress core updated reduces overall risk.