CVE-2026-13492

Source
https://cve.org/CVERecord?id=CVE-2026-13492
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13492.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-13492
Published
2026-07-09T18:33:16.055Z
Modified
2026-07-15T01:48:58.215105672Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
UsersWP <= 1.2.65 - Authenticated (Subscriber+) Arbitrary File Deletion via File Upload Field
Details

The UsersWP plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 1.2.65. This is due to insufficient validation of file-field values in the UsersWPValidation::validatefields() function (which falls through to sanitizetextfield() for fields of type 'file', leaving directory-traversal sequences intact) combined with the UsersWPForms::uploadfile_remove() AJAX handler building the deletion target from the uploads basedir concatenated with the attacker-controlled metadata value without any realpath canonicalization or uploads-directory boundary check before calling unlink(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the affected site's server, including wp-config.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/13xxx/CVE-2026-13492.json",
    "cwe_ids": [
        "CWE-22"
    ],
    "cna_assigner": "Wordfence"
}
References

Affected packages

Git / github.com/ayecode/userswp

Affected ranges

Type
GIT
Repo
https://github.com/ayecode/userswp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.2.65"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

1.*
1.0.1
1.0.10
1.0.11
1.0.12
1.0.13
1.0.14
1.0.15
1.0.16
1.0.17
1.0.18
1.0.19
1.0.2
1.0.20
1.0.21
1.0.22
1.0.23
1.0.24
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.1.0
1.1.1
1.1.2
1.1.3
1.2.0
1.2.0.1
1.2.0.10
1.2.0.11
1.2.0.12
1.2.0.2
1.2.0.3
1.2.0.4
1.2.0.5
1.2.0.6
1.2.0.7
1.2.0.8
1.2.0.9
1.2.1
1.2.1.1
1.2.1.2
1.2.1.3
1.2.1.4
1.2.1.5
1.2.1.6
1.2.1.7
1.2.1.8
1.2.1.9
1.2.2
1.2.2.1
1.2.2.10
1.2.2.11
1.2.2.12
1.2.2.13
1.2.2.14
1.2.2.15
1.2.2.16
1.2.2.17
1.2.2.18
1.2.2.19
1.2.2.2
1.2.2.20
1.2.2.21
1.2.2.22
1.2.2.23
1.2.2.24
1.2.2.25
1.2.2.26
1.2.2.27
1.2.2.28
1.2.2.29
1.2.2.3
1.2.2.30
1.2.2.31
1.2.2.32
1.2.2.33
1.2.2.34
1.2.2.35
1.2.2.36
1.2.2.37
1.2.2.4
1.2.2.5
1.2.2.6
1.2.2.7
1.2.2.8
1.2.2.9
1.2.3
1.2.3.1
1.2.3.10
1.2.3.11
1.2.3.2
1.2.3.3
1.2.3.4
1.2.3.5
1.2.3.6
1.2.3.7
1.2.3.8
1.2.3.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13492.json"