Back to overview

CVE-2026-13492

HIGH
8.8
CVSS 3.1
Description
The UsersWP plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 1.2.65. This is due to insufficient validation of file-field values in the UsersWP_Validation::validate_fields() function (which falls through to sanitize_text_field() for fields of type 'file', leaving directory-traversal sequences intact) combined with the UsersWP_Forms::upload_file_remove() AJAX handler building the deletion target from the uploads basedir concatenated with the attacker-controlled metadata value without any realpath canonicalization or uploads-directory boundary check before calling unlink(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the affected site's server, including wp-config.

Metadata

CVE ID
CVE-2026-13492
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-06-27 16:40 UTC
Published
2026-07-09 18:33 UTC
Last updated
2026-07-09 19:47 UTC
Primary CWE
CWE-22
CWE-22 Improper Limitation of a Pathname to a Restricted Dir…
Vendor / Product
stiofansisland / UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Sources
cve.org  ·  NVD

Severity & Metrics

8.8 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
stiofansisland UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP 0 ≤ 1.2.65
Weakness (CWE)
CWESourceDescription
CWE-22 cna CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.8 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Back to overview