CVE-2025-9693 is a path traversal vulnerability classified under CWE-22, found in the User Meta – User Profile Builder and User management plugin for WordPress, developed by khaledsaikat. The flaw exists in the postInsertUserProcess function, where the plugin fails to properly validate and restrict file paths before performing file deletion operations. This improper limitation allows authenticated users with minimal privileges (Subscriber-level and above) to craft malicious requests that delete arbitrary files on the web server. Critical files such as wp-config.php, which contains database credentials and other sensitive configuration data, can be targeted. Deleting such files can disrupt website functionality and enable attackers to execute arbitrary code remotely by manipulating the environment or triggering fallback behaviors. The vulnerability affects all plugin versions up to and including 3.1.2. The CVSS v3.1 base score is 8.0, reflecting network attack vector, low attack complexity, required privileges at the level of a subscriber, and user interaction. The impact includes high confidentiality, integrity, and availability loss. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be considered exploitable. The plugin is widely used in WordPress environments, increasing the potential attack surface. The lack of patch links suggests that fixes may not yet be available or widely distributed, emphasizing the need for immediate attention from administrators.

The vulnerability allows attackers with minimal authenticated access to delete arbitrary files on the server, which can lead to severe consequences including remote code execution, website defacement, data breaches, and denial of service. Deletion of critical files like wp-config.php can expose database credentials or cause site outages, impacting business continuity and user trust. Organizations relying on this plugin for user management face risks of unauthorized access escalation and full site compromise. The ease of exploitation combined with the low privilege requirement broadens the threat scope. Attackers could leverage this vulnerability to implant backdoors, steal sensitive information, or disrupt services. The impact extends to any organization using WordPress with this plugin, including e-commerce sites, blogs, and corporate portals, potentially affecting millions of websites globally.

Administrators should immediately verify if their WordPress installations use the User Meta – User Profile Builder and User management plugin at or below version 3.1.2. If so, they should upgrade to the latest patched version as soon as it becomes available. In the absence of an official patch, temporarily disabling the plugin or restricting access to authenticated users with Subscriber-level privileges can reduce risk. Implementing web application firewall (WAF) rules to detect and block suspicious file deletion requests targeting the plugin’s endpoints is recommended. Regular backups of critical files like wp-config.php should be maintained to enable rapid recovery. Monitoring server logs for unusual file deletion activities and anomalous user behavior can help detect exploitation attempts early. Additionally, applying the principle of least privilege by limiting user roles and permissions reduces the attack surface. Security teams should stay updated on vendor advisories and community patches.