WordPress WP User Manager plugin <= 2.9.12 - Authenticated (Subscriber+) Arbitrary File Deletion via 'current_user_avatar' Parameter vulnerability

Authenticated Subscriber+ Arbitrary File Deletion via 'currentuseravatar' Parameter vulnerability discovered by YCInfosec in WordPress Plugin WP User Manager versions = 2.9.12...

CVE-2025-13320

The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs by PHP's filterinp...