WP User Manager Plugin Arbitrary File Deletion Vulnerability

A vulnerability allowing arbitrary file deletion has been identified in the WP User Manager plugin for WordPress, affecting all versions through 2.9.12. The issue arises from inadequate validation of user-supplied file paths in the profile update feature, coupled with improper management of array inputs by PHP's filter_input() function. This flaw enables authenticated attackers with Subscriber-level access or higher to delete arbitrary files on the server using the 'current_user_avatar' parameter. This vulnerability can potentially lead to remote code execution, but only on sites with the custom avatar setting enabled.

Impact

Exploitation of this vulnerability allows for arbitrary file deletion on the server, which could be leveraged to execute malicious code remotely, depending on the files deleted.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can upload a file through the avatar upload feature, which is located in the user profile section. After uploading, the user can initiate a second upload that triggers the deletion of the first file. This process can be manipulated to delete files that are not related to the avatar feature, taking advantage of the vulnerability.