CVE-2026-13492
Received Received - Intake

Arbitrary File Deletion in UsersWP WordPress Plugin

Vulnerability report for CVE-2026-13492, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: Wordfence

Description

The UsersWP plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 1.2.65. This is due to insufficient validation of file-field values in the UsersWP_Validation::validate_fields() function (which falls through to sanitize_text_field() for fields of type 'file', leaving directory-traversal sequences intact) combined with the UsersWP_Forms::upload_file_remove() AJAX handler building the deletion target from the uploads basedir concatenated with the attacker-controlled metadata value without any realpath canonicalization or uploads-directory boundary check before calling unlink(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the affected site's server, including wp-config.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-10
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ayecode userswp to 1.2.65 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows authenticated attackers with Subscriber-level access and above to delete arbitrary files on the affected site's server, including critical configuration files such as wp-config. This can lead to unauthorized data loss or disruption of service.

Such unauthorized file deletion could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity and availability. If sensitive personal or health data is lost or systems are disrupted due to this vulnerability, it may result in non-compliance with these regulations.

Executive Summary

The UsersWP plugin for WordPress has a vulnerability called Arbitrary File Deletion in versions up to and including 1.2.65. This happens because the plugin does not properly validate file-field values in the UsersWP_Validation::validate_fields() function. Specifically, it uses sanitize_text_field() for file-type fields but leaves directory-traversal sequences intact. Additionally, the UsersWP_Forms::upload_file_remove() AJAX handler constructs the file deletion target by concatenating the uploads base directory with attacker-controlled metadata without performing realpath canonicalization or checking if the file is within the uploads directory. As a result, authenticated users with Subscriber-level access or higher can delete arbitrary files on the server, including critical files like wp-config.php.

Impact Analysis

This vulnerability allows attackers with at least Subscriber-level access to delete any file on the affected WordPress site's server. This can lead to severe consequences such as deleting critical configuration files (e.g., wp-config.php), which can disrupt the website's operation, cause data loss, or enable further exploitation. The ability to delete arbitrary files compromises the integrity and availability of the website and its data.

Mitigation Strategies

To mitigate this vulnerability, you should update the UsersWP plugin to a version that includes the security fix. The vulnerability was addressed by enhancing validation for file field deletion, as seen in the commit ddb17ad30ff3384cda85c5f372db30b03bd45ac8 on the official UsersWP GitHub repository.

Until the update is applied, restrict Subscriber-level and above users from performing file deletion actions if possible, and monitor for suspicious activity related to file deletions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13492. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart