PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-13492 stiofansisland CVE debrief

The UsersWP plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 1.2.65. This is due to insufficient validation of file-field values in the UsersWP_Validation::validate_fields() function combined with the UsersWP_Forms::upload_file_remove() AJAX handler building the deletion target without realpath canonicalization or uploads-directory boundary check.

Vendor
stiofansisland
Product
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-10
Advisory published
2026-07-09
Advisory updated
2026-07-10

Who should care

Authenticated attackers with Subscriber-level access and above on WordPress sites using the UsersWP plugin version 1.2.65 or earlier should be aware of this vulnerability. They may be able to delete arbitrary files on the affected site's server, including critical files like wp-config.php, which could lead to a complete compromise of the site's integrity and confidentiality.

Technical summary

The vulnerability exists in the UsersWP plugin for WordPress, specifically in versions up to and including 1.2.65. The issue arises from insufficient validation of file-field values in the UsersWP_Validation::validate_fields() function, which falls through to sanitize_text_field() for fields of type 'file', leaving directory-traversal sequences intact. Additionally, the UsersWP_Forms::upload_file_remove() AJAX handler builds the deletion target from the uploads basedir concatenated with the attacker-controlled metadata value without any realpath canonicalization or uploads-directory boundary check before calling unlink().

Defensive priority

High priority due to the potential for authenticated attackers to delete arbitrary files on the affected site's server, including critical files like wp-config.php.

Recommended defensive actions

  • Update the UsersWP plugin to a version beyond 1.2.65.
  • Restrict access to the UsersWP plugin's AJAX handlers.
  • Monitor server logs for suspicious file deletion attempts.
  • Implement additional security measures such as file system monitoring and enhanced authentication checks.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-09T19:17:03.883Z and was last modified on 2026-07-10T15:43:30.330Z. The NVD entry is currently Deferred. Evidence is limited to public CVE and NVD information. Defenders should verify the vulnerability's existence and scope within their environments, focusing on UsersWP plugin versions 1.2.65 or earlier.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T19:17:03.883Z and has not been modified since then. The NVD entry is currently Deferred.