PT-2026-56916 · Stiofansisland · Userswp – Front-End Login Form

Daroo

·

Published

2026-07-09

·

Updated

2026-07-09

·

CVE-2026-13492

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
The UsersWP plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 1.2.65. This is due to insufficient validation of file-field values in the UsersWP Validation::validate fields() function (which falls through to sanitize text field() for fields of type 'file', leaving directory-traversal sequences intact) combined with the UsersWP Forms::upload file remove() AJAX handler building the deletion target from the uploads basedir concatenated with the attacker-controlled metadata value without any realpath canonicalization or uploads-directory boundary check before calling unlink(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the affected site's server, including wp-config.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-13492

Affected Products

Userswp – Front-End Login Form