VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 7 known issues Latest disclosed Sep 10, 2025

User Meta – User Profile Builder and User management plugin Vulnerabilities

Review known vulnerability records for the WordPress plugin User Meta – User Profile Builder and User management plugin (`user-meta`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-9693, CVE-2025-47611 and CVE-2024-9262, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
7
High or Critical
1
Patch Coverage
100%
Last Updated
Sep 11, 2025
Priority CVE Quick Links

Fast paths into User Meta – User Profile Builder and User management plugin CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
6
CVE-2025-9693 High No patch listed
CVE-2025-9693 User Meta – User Profile Builder and User management plugin Remote Code Execution

User Meta – User Profile Builder and User management plugin <= 3.1.2 - Authenticated (Subscriber+) Arbitrary File Deletion

CVE-2024-9262 Medium 3.1.2
CVE-2024-9262 User Meta – User Profile Builder and User management plugin Sensitive Information Exposure

User Meta – User Profile Builder and User management plugin <= 3.1.1 - Insecure Direct Object Reference to Sensitive Information Exposure

CVE-2025-47611 Medium No patch listed
CVE-2025-47611 User Meta – User Profile Builder and User management plugin Cross-Site Scripting

User Meta <= 3.1.2 - Reflected Cross-Site Scripting

CVE-2022-0376 Medium 2.4.3
CVE-2022-0376 User Meta – User Profile Builder and User management plugin Cross-Site Scripting

User Meta <= 2.4.2 - Authenticated (Admin+) Cross-Site Scripting

CVE-2024-33575 Medium 3.1
CVE-2024-33575 User Meta – User Profile Builder and User management plugin Sensitive Information Exposure

User Meta <= 3.0 - Unauthenticated Sensitive Information Exposure

CVE-2022-0779 Medium 2.4.4
CVE-2022-0779 User Meta – User Profile Builder and User management plugin Vulnerability

User Meta – User Profile Builder and User management plugin <= 2.4.3 - Path Traversal

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for User Meta – User Profile Builder and User management plugin so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
7 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 1 high severity finding.
Recent CVEs
CVE-2025-9693, CVE-2025-47611 and CVE-2024-9262
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for User Meta – User Profile Builder and User management plugin

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: No CVE-2025-9693
CVE-2025-9693: User Meta – User Profile Builder and User management plugin <= 3.1.2 - Authenticated (Subscriber+) Arbitrary File Deletion

The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the postInsertUserProcess function in all versions up to, and including, 3.1.2. This makes it possible for aut...

Published
Sep 10, 2025
Patched Release
Not published
Affected Versions
Versions up to 3.1.2
Next Step
Open the full report for remediation notes and references.
Open CVE-2025-9693 Report Open CVE Reference
Plugin Medium Patched: No CVE-2025-47611
CVE-2025-47611: User Meta <= 3.1.2 - Reflected Cross-Site Scripting

The User Meta plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages tha...

Published
May 22, 2025
Patched Release
Not published
Affected Versions
Versions up to 3.1.2
Next Step
Open the full report for remediation notes and references.
Open CVE-2025-47611 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-9262
CVE-2024-9262: User Meta – User Profile Builder and User management plugin <= 3.1.1 - Insecure Direct Object Reference to Sensitive Information Exposure

The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.1.1 via the getUser() due to missing validation on a user controlled key. This makes it possible for auth...

Published
Nov 08, 2024
Patched Release
3.1.2
Affected Versions
Versions up to 3.1.1
Next Step
Update to 3.1.2 or newer if supported.
Open CVE-2024-9262 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-33575
CVE-2024-33575: User Meta <= 3.0 - Unauthenticated Sensitive Information Exposure

The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0 via the /views/debug.php file. This makes it possible for unauthenticated attackers, with to extract sens...

Published
Apr 25, 2024
Patched Release
3.1
Affected Versions
Versions up to 3.0
Next Step
Update to 3.1 or newer if supported.
Open CVE-2024-33575 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-0779
CVE-2022-0779: User Meta – User Profile Builder and User management plugin <= 2.4.3 - Path Traversal

The User Meta WordPress plugin before 2.4.4 does not validate the filepath parameter of its um_show_uploaded_file AJAX action, which could allow low privileged users such as subscriber to enumerate the local files on the web server via path traversal payloads

Published
May 16, 2022
Patched Release
2.4.4
Affected Versions
Versions before 2.4.4
Next Step
Update to 2.4.4 or newer if supported.
Open CVE-2022-0779 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-0376
CVE-2022-0376: User Meta <= 2.4.2 - Authenticated (Admin+) Cross-Site Scripting

The User Meta WordPress plugin before 2.4.3 does not sanitise and escape the Form Name, as well as Shared Field Labels before outputting them in the admin dashboard when editing a form, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfil...

Published
May 09, 2022
Patched Release
2.4.3
Affected Versions
Versions up to 2.4.2
Next Step
Update to 2.4.3 or newer if supported.
Open CVE-2022-0376 Report Open CVE Reference
Plugin Medium Patched: Yes
User Meta – User Profile Builder and User management plugin 1.1.1 - Arbitrary File Upload

The User Meta plugin for wordPress is vulnerable to Arbitrary File Uploads in versions up to, and including 1.1.1, due to insufficient file type validation in the user-meta/framework/helper/uploader.php file. This makes it possible for attackers to upload malicious files and achi...

Published
Aug 01, 2014
Patched Release
1.1.2
Affected Versions
1.1.1 through 1.1.1
Next Step
Update to 1.1.2 or newer if supported.
Open Full Report