CVE-2026-13492 in UsersWP Plugin
Summary
by MITRE • 07/09/2026
The UsersWP plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 1.2.65. This is due to insufficient validation of file-field values in the UsersWP_Validation::validate_fields() function (which falls through to sanitize_text_field() for fields of type 'file', leaving directory-traversal sequences intact) combined with the UsersWP_Forms::upload_file_remove() AJAX handler building the deletion target from the uploads basedir concatenated with the attacker-controlled metadata value without any realpath canonicalization or uploads-directory boundary check before calling unlink(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the affected site's server, including wp-config.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/09/2026
The UsersWP WordPress plugin contains a critical vulnerability that allows authenticated attackers with subscriber-level privileges or higher to perform arbitrary file deletion on affected systems. This vulnerability exists in versions up to and including 1.2.65 and represents a severe security flaw that can lead to complete system compromise. The vulnerability stems from improper validation of file field values within the UsersWP_Validation::validate_fields() function, which fails to adequately sanitize file paths before processing them. Specifically, when file-type fields are processed, the function delegates validation to sanitize_text_field(), a WordPress function that does not perform directory traversal sequence removal. This allows malicious actors to inject path traversal sequences such as ../ or ..\ into file field values, creating dangerous conditions for file operations.
The exploitation pathway becomes apparent when examining the UsersWP_Forms::upload_file_remove() AJAX handler, which serves as the attack vector for this vulnerability. This handler constructs the target deletion path by concatenating the WordPress uploads directory base path with attacker-controlled metadata values obtained from user input. The critical flaw lies in the absence of any realpath canonicalization checks or boundary validation against the uploads directory, meaning that the system accepts and processes potentially malicious file paths without proper sanitization. This design flaw enables attackers to manipulate the deletion target to point outside the intended upload directories, potentially reaching sensitive system files including wp-config.php, which contains critical database credentials and other sensitive configuration data.
The operational impact of this vulnerability extends far beyond simple file deletion capabilities, as it provides attackers with a powerful tool for system compromise. An attacker with subscriber-level access can leverage this vulnerability to remove critical WordPress files, plugin files, or even core WordPress components, potentially causing service disruption or enabling further exploitation. The ability to delete wp-config.php specifically undermines the security foundation of the entire WordPress installation, as it would require complete reinstallation and reconfiguration of the site. This vulnerability aligns with CWE-22 - Improper Limitation of a Pathname to a Restricted Directory, which addresses path traversal flaws in file system operations. From an attack framework perspective, this vulnerability maps to multiple MITRE ATT&CK techniques including T1059.001 - Command and Scripting Interpreter: PowerShell and T1486 - Data Encrypted for Impact, as attackers could potentially use this capability to remove backup files or encrypt important data before deletion.
Mitigation strategies should focus on immediate remediation through plugin updates to versions that address the validation flaws in both the UsersWP_Validation::validate_fields() function and the UsersWP_Forms::upload_file_remove() handler. Organizations should implement additional security measures such as restricting file upload capabilities, implementing proper input sanitization for all user-controllable fields, and establishing monitoring of file deletion operations within WordPress upload directories. Network-level defenses including web application firewalls that can detect and block path traversal patterns should also be considered. The vulnerability highlights the importance of proper secure coding practices in plugin development, particularly around file system operations and user input handling. Organizations should conduct thorough security assessments of their WordPress installations to identify similar vulnerabilities in other plugins or themes, as this represents a common pattern in poorly secured WordPress components that fail to implement proper boundary checking for file operations.