A critical arbitrary file deletion vulnerability in the WP User Manager plugin for WordPress permits authenticated attackers to remove critical system files, leading to potential service disruption.

The plugin contains a flaw that allows authenticated subscribers to trigger arbitrary file deletion on the server filesystem. By manipulating specific parameters, an attacker can delete sensitive configuration files or core application files.

With a CVSS score of 9.9, this vulnerability poses a Critical risk to business operations. Exploitation can lead to complete service denial, loss of administrative control, and potential site instability, resulting in significant operational downtime.

Immediate Action: Update the WP User Manager plugin to the latest available version provided by the vendor.

Proactive Monitoring: Monitor server access logs for unusual requests targeting file-handling functions or deletion operations.

Compensating Controls: Restrict file system permissions for the web server user account to the minimum necessary level to prevent unauthorized deletion of sensitive paths.

Public Exploit Available: Unknown

Given the critical severity of this vulnerability, immediate remediation via plugin update is required. Organizations should evaluate their reliance on the affected plugin and ensure that all user permissions are strictly enforced to minimize the attack surface.