{"id":"CVE-2026-13492","summary":"UsersWP \u003c= 1.2.65 - Authenticated (Subscriber+) Arbitrary File Deletion via File Upload Field","details":"The UsersWP plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 1.2.65. This is due to insufficient validation of file-field values in the UsersWP_Validation::validate_fields() function (which falls through to sanitize_text_field() for fields of type 'file', leaving directory-traversal sequences intact) combined with the UsersWP_Forms::upload_file_remove() AJAX handler building the deletion target from the uploads basedir concatenated with the attacker-controlled metadata value without any realpath canonicalization or uploads-directory boundary check before calling unlink(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the affected site's server, including wp-config.","modified":"2026-07-15T01:48:58.215105672Z","published":"2026-07-09T18:33:16.055Z","database_specific":{"cwe_ids":["CWE-22"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/13xxx/CVE-2026-13492.json","cna_assigner":"Wordfence"},"references":[{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.65/includes/class-forms.php#L1059"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.65/includes/class-forms.php#L1973"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.65/includes/class-forms.php#L2320"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.65/includes/class-forms.php#L2323"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.65/includes/class-validation.php#L190"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/changeset/3590340/userswp"},{"type":"WEB","url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/b6cf6390-480f-44e2-ae36-67e3398add33?source=cve"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/13xxx/CVE-2026-13492.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-13492"},{"type":"FIX","url":"https://github.com/AyeCode/userswp/commit/ddb17ad30ff3384cda85c5f372db30b03bd45ac8"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ayecode/userswp","events":[{"introduced":"0"},{"fixed":"ddb17ad30ff3384cda85c5f372db30b03bd45ac8"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"1.2.65"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["1.2.3.11","1.2.3.10","1.2.3.9","1.2.3.8","1.2.3.7","1.2.3.6","1.2.3.5","1.2.3.4","1.2.3.3","1.2.3.2","1.2.3.1","1.2.3","1.2.2.37","1.2.2.36","1.2.2.35","1.2.2.34","1.2.2.33","1.2.2.32","1.2.2.31","1.2.2.30","1.2.2.29","1.2.2.28","1.2.2.27","1.2.2.26","1.2.2.25","1.2.2.24","1.2.2.23","1.2.2.22","1.2.2.21","1.2.2.20","1.2.2.19","1.2.2.18","1.2.2.17","1.2.2.16","1.2.2.15","1.2.2.14","1.2.2.13","1.2.2.12","1.2.2.11","1.2.2.10","1.2.2.9","1.2.2.8","1.2.2.7","1.2.2.6","1.2.2.5","1.2.2.4","1.2.2.3","1.2.2.2","1.2.2.1","1.2.2","1.2.1.9","1.2.1.8","1.2.1.7","1.2.1.6","1.2.1.5","1.2.1.4","1.2.1.3","1.2.1.2","1.2.1.1","1.2.1","1.2.0.12","1.2.0.11","1.2.0.10","1.2.0.9","1.2.0.8","1.2.0.7","1.2.0.6","1.2.0.5","1.2.0.4","1.2.0.3","1.2.0.2","1.2.0.1","1.2.0","1.1.3","1.1.2","1.1.1","1.1.0","1.0.24","1.0.23","1.0.22","1.0.21","1.0.20","1.0.19","1.0.18","1.0.17","1.0.16","1.0.15","1.0.14","1.0.13","1.0.12","1.0.10","1.0.11","1.0.9","1.0.8","1.0.7","1.0.6","1.0.5","1.0.4","1.0.3","1.0.2","1.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13492.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}