PatchSiren cyber security CVE debrief
CVE-2026-13492 stiofansisland CVE debrief
The UsersWP plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 1.2.65. This is due to insufficient validation of file-field values in the UsersWP_Validation::validate_fields() function combined with the UsersWP_Forms::upload_file_remove() AJAX handler building the deletion target without realpath canonicalization or uploads-directory boundary check.
- Vendor
- stiofansisland
- Product
- UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-09
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-09
- Advisory updated
- 2026-07-10
Who should care
Authenticated attackers with Subscriber-level access and above on WordPress sites using the UsersWP plugin version 1.2.65 or earlier should be aware of this vulnerability. They may be able to delete arbitrary files on the affected site's server, including critical files like wp-config.php, which could lead to a complete compromise of the site's integrity and confidentiality.
Technical summary
The vulnerability exists in the UsersWP plugin for WordPress, specifically in versions up to and including 1.2.65. The issue arises from insufficient validation of file-field values in the UsersWP_Validation::validate_fields() function, which falls through to sanitize_text_field() for fields of type 'file', leaving directory-traversal sequences intact. Additionally, the UsersWP_Forms::upload_file_remove() AJAX handler builds the deletion target from the uploads basedir concatenated with the attacker-controlled metadata value without any realpath canonicalization or uploads-directory boundary check before calling unlink().
Defensive priority
High priority due to the potential for authenticated attackers to delete arbitrary files on the affected site's server, including critical files like wp-config.php.
Recommended defensive actions
- Update the UsersWP plugin to a version beyond 1.2.65.
- Restrict access to the UsersWP plugin's AJAX handlers.
- Monitor server logs for suspicious file deletion attempts.
- Implement additional security measures such as file system monitoring and enhanced authentication checks.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-09T19:17:03.883Z and was last modified on 2026-07-10T15:43:30.330Z. The NVD entry is currently Deferred. Evidence is limited to public CVE and NVD information. Defenders should verify the vulnerability's existence and scope within their environments, focusing on UsersWP plugin versions 1.2.65 or earlier.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T19:17:03.883Z and has not been modified since then. The NVD entry is currently Deferred.