Cyber Resilience

CVE-2026-9290

High

Published: 06 June 2026

Published
06 June 2026
Modified
08 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0186 76.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-9290 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 23.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The WP User Manager plugin for WordPress, a user profile builder and membership component, contains a local file inclusion vulnerability in all versions through 2.9.17. The flaw resides in the profile template scope function and stems from insufficient validation of file paths, enabling inclusion of arbitrary server-side PHP files as described under CWE-22.

Unauthenticated remote attackers can exploit the issue over the network by supplying crafted inputs that resolve to local PHP files. Successful exploitation permits reading sensitive data, bypassing access controls, or achieving code execution on the host when an attacker can first upload a PHP file that is subsequently included.

The supplied references point to the affected code paths in functions.php, permalinks.php, profile.php, and the Cortex router, along with a GitHub pull request, but contain no explicit statements on patching or mitigation steps. The EPSS score remains flat at 0.1175 with no material increase after disclosure.

EU & UK References

Vulnerability details

The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the (profile template scope) function. This makes it possible for unauthenticated attackers…

more

to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References