CVE-2025-13320 is a vulnerability classified under CWE-73 (External Control of File Name or Path) found in the WP User Manager plugin for WordPress, specifically in versions up to and including 2.9.12. The root cause is insufficient validation of user-supplied file paths in the profile update functionality, combined with improper handling of array inputs by PHP's filter_input() function. This flaw allows authenticated attackers with Subscriber-level access or higher to delete arbitrary files on the web server by manipulating the 'current_user_avatar' parameter. The attack is a two-stage process: first, the attacker exploits the file deletion to remove critical files, potentially including security controls or logs, and second, this can lead to remote code execution under certain conditions. The vulnerability only affects sites where the custom avatar setting is enabled, limiting the attack surface. The CVSS v3.1 score is 6.8, indicating a medium severity with network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, but high integrity and availability impacts. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly.

For European organizations, this vulnerability poses a significant risk to WordPress sites using the WP User Manager plugin with the custom avatar feature enabled. Successful exploitation can lead to arbitrary file deletion, impacting the integrity and availability of web server files, potentially causing service disruption or data loss. In worst-case scenarios, attackers may achieve remote code execution, leading to full system compromise. This is particularly concerning for organizations relying on WordPress for customer-facing portals, membership management, or user profile handling, as it could result in defacement, data breaches, or lateral movement within internal networks. Given the widespread use of WordPress across Europe, especially in small to medium enterprises and public sector websites, the vulnerability could affect a broad range of targets. The requirement for only Subscriber-level authentication lowers the barrier for exploitation, increasing risk. However, the necessity for the custom avatar setting to be enabled somewhat limits exposure. The lack of known exploits in the wild currently reduces immediate threat but does not eliminate future risk.

European organizations should take immediate steps to mitigate this vulnerability. First, verify if the WP User Manager plugin is installed and identify the version; upgrade to a patched version once available. Until a patch is released, disable the custom avatar feature to eliminate the attack vector. Implement strict access controls to limit Subscriber-level accounts and monitor for unusual file deletion activities on the server. Employ web application firewalls (WAFs) with rules to detect and block suspicious requests targeting the 'current_user_avatar' parameter. Conduct regular backups of WordPress sites and server files to enable recovery from potential file deletion. Review PHP configurations and consider disabling or restricting the use of filter_input() for array inputs if feasible. Additionally, perform security audits of user permissions and plugin configurations to reduce attack surface. Finally, maintain vigilance for any emerging exploit code or patches from the vendor or security community.