CVE-2025-13320 is a vulnerability classified under CWE-73 (External Control of File Name or Path) found in the WP User Manager plugin for WordPress, specifically in versions up to and including 2.9.12. The flaw stems from insufficient validation of the 'current_user_avatar' parameter, which is used in the profile update functionality. The vulnerability is exacerbated by PHP's filter_input() function improperly handling array inputs, allowing attackers to manipulate file paths. Authenticated users with Subscriber-level privileges or higher can exploit this vulnerability to delete arbitrary files on the web server. The attack is executed in two stages, first manipulating the file path input and then triggering the deletion. This arbitrary file deletion can potentially be leveraged to achieve remote code execution, posing a significant threat to the integrity and availability of the affected systems. The vulnerability only affects sites where the custom avatar setting is enabled, limiting the attack surface. The CVSS v3.1 score is 6.8, indicating a medium severity level, with network attack vector, high attack complexity, low privileges required, no user interaction, and impacts on integrity and availability but not confidentiality. No public exploits have been reported yet, but the risk remains due to the ease of exploitation by authenticated users.

For European organizations, this vulnerability poses a risk primarily to websites running WordPress with the WP User Manager plugin installed and the custom avatar feature enabled. Successful exploitation can lead to arbitrary file deletion, potentially removing critical files or web application components, causing service disruption and data loss. The possibility of remote code execution elevates the threat, potentially allowing attackers to gain further control over the web server, pivot within the network, or deploy malware. This can impact the integrity and availability of web services, leading to reputational damage, regulatory non-compliance (especially under GDPR if personal data is affected), and financial losses. Organizations relying on WordPress for customer-facing portals, membership sites, or internal applications are particularly vulnerable. The requirement for authenticated access reduces the risk from anonymous attackers but insider threats or compromised accounts increase exposure. The medium severity indicates that while the vulnerability is serious, exploitation requires some conditions to be met, which may limit widespread impact but still demands prompt attention.

European organizations should immediately audit their WordPress installations to identify the presence of the WP User Manager plugin and verify if the custom avatar setting is enabled. If enabled, consider disabling this feature until a patch is available. Since no official patch links are currently provided, organizations should monitor vendor communications and security advisories for updates. Implement strict access controls to limit Subscriber-level privileges and enforce strong authentication mechanisms to reduce the risk of account compromise. Employ web application firewalls (WAFs) with rules designed to detect and block suspicious file path manipulations targeting the 'current_user_avatar' parameter. Conduct regular backups of web server files and databases to enable recovery in case of file deletion attacks. Additionally, review PHP configurations and consider hardening filter_input() usage or input validation routines in custom code. Security teams should also monitor logs for unusual file deletion activities and anomalous profile update requests. Finally, educate users about the risks of account compromise and enforce least privilege principles.