Local File Inclusion in WP User Manager – User Profile Builder & Membership
CVE-2026-9290 is a Local File Inclusion vulnerability in the WP User Manager – User Profile Builder & Membership plugin for WordPress. According to the provided content, all versions up to and including 2.9.17 are affected. The issue is reachable via the profile template scope function, which allows attacker-controlled inclusion of local files. Because the vulnerable code path can include .php files present on the server, an unauthenticated attacker may be able to cause execution of PHP code contained in those files. This creates a path from file inclusion to code execution when suitable PHP files are available on the target system.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.