PT-2026-56916 · Stiofansisland · Userswp – Front-End Login Form
Daroo
·
Published
2026-07-09
·
Updated
2026-07-09
·
CVE-2026-13492
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
The UsersWP plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 1.2.65. This is due to insufficient validation of file-field values in the UsersWP Validation::validate fields() function (which falls through to sanitize text field() for fields of type 'file', leaving directory-traversal sequences intact) combined with the UsersWP Forms::upload file remove() AJAX handler building the deletion target from the uploads basedir concatenated with the attacker-controlled metadata value without any realpath canonicalization or uploads-directory boundary check before calling unlink(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the affected site's server, including wp-config.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Userswp – Front-End Login Form