A high-severity vulnerability has been identified in the "User Meta – User Profile Builder and User management" WordPress plugin. This flaw allows a malicious actor to delete arbitrary files on the server hosting the website, which could lead to a complete site outage, data loss, or create opportunities for further system compromise. Immediate patching is required to mitigate the significant risk of website defacement and denial of service.

The vulnerability is an Arbitrary File Deletion flaw within the postInsertUserProcess function of the plugin. Due to insufficient validation of user-supplied file paths, an attacker can craft a malicious request that tricks the function into deleting files outside of the intended directories. An attacker could potentially use path traversal techniques (e.g., ../../..) to target and delete critical system files, such as wp-config.php, .htaccess, or other core application files, leading to a denial of service or exposing sensitive configuration data.

This vulnerability is rated as High severity with a CVSS score of 8. Exploitation could have a significant negative impact on business operations. The primary risk is a denial-of-service condition, rendering the website completely inaccessible if critical WordPress core files are deleted. Furthermore, the deletion of specific data files could result in irreversible data loss, while the removal of security configuration files could weaken the server's defenses, making it susceptible to further attacks. The potential for reputational damage and the cost of incident response and site restoration are also considerable.

Immediate Action:

• Immediately update the "User Meta – User Profile Builder and User management" plugin to the latest version provided by the vendor, which contains a patch for this vulnerability.
• If the plugin is not essential for business operations, the most secure course of action is to deactivate and completely remove it from the WordPress installation.
• Review WordPress security settings to ensure file permissions are correctly configured to limit the web server user's ability to write or delete files in critical directories.

Proactive Monitoring:

• Monitor web server access logs for unusual POST requests to endpoints associated with the "User Meta" plugin, particularly any that contain suspicious file path manipulations (e.g., ../, %2e%2e%2f).
• Implement file integrity monitoring (FIM) on the web server to generate alerts for any unauthorized changes or deletions of critical WordPress files, especially wp-config.php.
• Review system logs for unexpected file deletion events originating from the web server process.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block path traversal attacks targeting this plugin's functions.
• Enforce the principle of least privilege by hardening file system permissions, ensuring the user account running the web server cannot delete files outside of its designated directories (e.g., wp-content/uploads).
• Restrict administrative access to the WordPress dashboard to trusted IP addresses only, reducing the attack surface for vulnerabilities that may require authenticated access.

Public Exploit Available: false

Given the high severity (CVSS 8) of this vulnerability and the potential for complete website compromise, we strongly recommend that immediate action is taken. Organizations must prioritize updating the affected "User Meta" plugin to the latest patched version without delay. Although there is no evidence of active exploitation at this time, the risk of a simple exploit being developed is high. Proactive patching is the most effective strategy to prevent a potentially disruptive and costly security incident.