Skip to main content

UsersWP CVE-2026-13492

| EUVDEUVD-2026-42686 HIGH
Path Traversal (CWE-22)
2026-07-09 security@wordfence.com GHSA-j69f-3cmp-jrjj
8.8
CVSS 3.1 · Vendor: wordfence
Share

Severity by source

Vendor (wordfence) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Remote, low-complexity, Subscriber-authenticated (PR:L) arbitrary deletion gives I:H/A:H; direct primitive discloses nothing so C:N, unlike the vendor's chain-based C:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (wordfence).

CVSS VectorVendor: wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 19:36 vuln.today
CVE Published
Jul 09, 2026 - 19:17 nvd
HIGH 8.8

DescriptionCVE.org

The UsersWP plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 1.2.65. This is due to insufficient validation of file-field values in the UsersWP_Validation::validate_fields() function (which falls through to sanitize_text_field() for fields of type 'file', leaving directory-traversal sequences intact) combined with the UsersWP_Forms::upload_file_remove() AJAX handler building the deletion target from the uploads basedir concatenated with the attacker-controlled metadata value without any realpath canonicalization or uploads-directory boundary check before calling unlink(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the affected site's server, including wp-config.

AnalysisAI

Arbitrary file deletion in the UsersWP WordPress plugin (versions ≤ 1.2.65) lets authenticated Subscriber-level users delete any file on the server, including wp-config.php, which can escalate into full site takeover. The flaw stems from unsanitized directory-traversal sequences in file-field metadata reaching an unlink() call in the upload_file_remove() AJAX handler. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register/obtain Subscriber account
Delivery
Craft file-field metadata with '../' traversal
Exploit
Invoke upload_file_remove AJAX handler
Execution
unlink() deletes wp-config.php
Persist
WordPress drops into setup mode
Impact
Reconfigure to attacker DB for takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated account of Subscriber level or above (CVSS PR:L), so the site must permit that access - most impactful on installations with open user registration enabled, where obtaining a Subscriber account is trivial. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects an easily reachable, low-complexity network attack requiring only the lowest authenticated role (Subscriber), which many WordPress sites grant via open registration - making the PR:L barrier trivial in practice. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a low-privilege Subscriber account on a UsersWP-enabled site with open registration, then submits or manipulates a profile file-field so its stored metadata contains a directory-traversal path such as '../../../wp-config.php'. Invoking the upload_file_remove AJAX handler causes the plugin to unlink() that path, deleting wp-config.php and pushing WordPress into its installation wizard, from which the attacker can point the site at a database they control and achieve full compromise. …
Remediation Update UsersWP to the first release built from WordPress.org changeset 3590340 / GitHub commit ddb17ad30ff3384cda85c5f372db30b03bd45ac8, which adds proper path handling for file-field deletion; this is an upstream fix available via commit/changeset, and the exact released patched version is not independently confirmed from the provided data - treat the next release after 1.2.65 as the target and verify the fixed version on the plugin changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for UsersWP plugin versions ≤ 1.2.65; disable Subscriber role file management capabilities or remove user assignment pending remediation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-13492 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy