{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/userswp-plugin--1.2.65/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-13492"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["UsersWP plugin \u003c= 1.2.65","WordPress"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","vulnerability","web","file-deletion","remote-code-execution"],"_cs_type":"advisory","_cs_vendors":["UsersWP","WordPress"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-13492, has been identified in the UsersWP plugin for WordPress, affecting versions up to and including 1.2.65. This flaw permits authenticated attackers with Subscriber-level privileges or higher to perform arbitrary file deletion on the hosting server. The vulnerability stems from inadequate sanitization of file-field values within the \u003ccode\u003eUsersWP_Validation::validate_fields()\u003c/code\u003e function, which allows directory traversal sequences to persist. Subsequently, the \u003ccode\u003eUsersWP_Forms::upload_file_remove()\u003c/code\u003e AJAX handler, responsible for file removal, constructs target paths by concatenating an uploads base directory with an attacker-controlled metadata value without proper realpath canonicalization or boundary checks. This allows a malicious actor to delete sensitive system files, such as \u003ccode\u003ewp-config.php\u003c/code\u003e, leading to potential denial of service or further compromise of the WordPress instance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker, with at least Subscriber-level privileges on the WordPress site, identifies the vulnerable UsersWP plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003eUsersWP_Forms::upload_file_remove()\u003c/code\u003e AJAX handler.\u003c/li\u003e\n\u003cli\u003eThe request includes a specially crafted \u0026quot;file-field\u0026quot; parameter containing directory traversal sequences (e.g., \u003ccode\u003e../../../../\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eUsersWP_Validation::validate_fields()\u003c/code\u003e function processes this input but fails to properly sanitize the directory traversal sequences.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eupload_file_remove()\u003c/code\u003e AJAX handler receives the unsanitized path and constructs a full file path for deletion.\u003c/li\u003e\n\u003cli\u003eThis construction involves concatenating the WordPress uploads base directory with the attacker-controlled, directory-traversal-laden path, without performing \u003ccode\u003erealpath\u003c/code\u003e canonicalization or boundary checks.\u003c/li\u003e\n\u003cli\u003eThe handler then invokes the \u003ccode\u003eunlink()\u003c/code\u003e function with the maliciously constructed arbitrary file path.\u003c/li\u003e\n\u003cli\u003eThis results in the deletion of arbitrary files on the web server, potentially including critical files like \u003ccode\u003ewp-config.php\u003c/code\u003e, leading to site unavailability or further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe arbitrary file deletion vulnerability (CVE-2026-13492) allows authenticated attackers to delete critical files on the victim's WordPress server, including the \u003ccode\u003ewp-config.php\u003c/code\u003e file, which contains database credentials and other vital configuration settings. Successful exploitation can lead to a complete denial of service for the website, requiring manual intervention to restore functionality. Furthermore, the ability to delete arbitrary files could be leveraged by attackers as a step towards achieving greater compromise, such as clearing logs to evade detection or disrupting security mechanisms. The CVSS v3.1 Base Score of 8.8 reflects the high severity of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the UsersWP plugin to a version greater than 1.2.65 to patch CVE-2026-13492.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for unusual HTTP POST requests to AJAX endpoints, specifically \u003ccode\u003ewp-admin/admin-ajax.php?action=userswp_upload_file_remove\u003c/code\u003e, containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..\\\u003c/code\u003e) in parameters, to detect potential exploitation attempts of CVE-2026-13492.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T19:18:19Z","date_published":"2026-07-09T19:18:19Z","id":"https://feed.craftedsignal.io/briefs/2026-07-userswp-file-deletion/","summary":"The UsersWP plugin for WordPress contains an Arbitrary File Deletion vulnerability, CVE-2026-13492, in versions up to and including 1.2.65, allowing an authenticated attacker with Subscriber-level access or higher to exploit insufficient validation in file-field values combined with an AJAX handler that lacks proper path canonicalization to delete arbitrary files on the server, including critical files like `wp-config.php`, leading to system impact.","title":"UsersWP Plugin Arbitrary File Deletion (CVE-2026-13492)","url":"https://feed.craftedsignal.io/briefs/2026-07-userswp-file-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - UsersWP Plugin \u003c= 1.2.65","version":"https://jsonfeed.org/version/1.1"}