<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>UsersWP Plugin &lt;= 1.2.65 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/userswp-plugin--1.2.65/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 19:18:19 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/userswp-plugin--1.2.65/feed.xml" rel="self" type="application/rss+xml"/><item><title>UsersWP Plugin Arbitrary File Deletion (CVE-2026-13492)</title><link>https://feed.craftedsignal.io/briefs/2026-07-userswp-file-deletion/</link><pubDate>Thu, 09 Jul 2026 19:18:19 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-userswp-file-deletion/</guid><description>The UsersWP plugin for WordPress contains an Arbitrary File Deletion vulnerability, CVE-2026-13492, in versions up to and including 1.2.65, allowing an authenticated attacker with Subscriber-level access or higher to exploit insufficient validation in file-field values combined with an AJAX handler that lacks proper path canonicalization to delete arbitrary files on the server, including critical files like `wp-config.php`, leading to system impact.</description><content:encoded><![CDATA[<p>A critical vulnerability, CVE-2026-13492, has been identified in the UsersWP plugin for WordPress, affecting versions up to and including 1.2.65. This flaw permits authenticated attackers with Subscriber-level privileges or higher to perform arbitrary file deletion on the hosting server. The vulnerability stems from inadequate sanitization of file-field values within the <code>UsersWP_Validation::validate_fields()</code> function, which allows directory traversal sequences to persist. Subsequently, the <code>UsersWP_Forms::upload_file_remove()</code> AJAX handler, responsible for file removal, constructs target paths by concatenating an uploads base directory with an attacker-controlled metadata value without proper realpath canonicalization or boundary checks. This allows a malicious actor to delete sensitive system files, such as <code>wp-config.php</code>, leading to potential denial of service or further compromise of the WordPress instance.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated attacker, with at least Subscriber-level privileges on the WordPress site, identifies the vulnerable UsersWP plugin.</li>
<li>The attacker crafts a malicious HTTP request targeting the <code>UsersWP_Forms::upload_file_remove()</code> AJAX handler.</li>
<li>The request includes a specially crafted &quot;file-field&quot; parameter containing directory traversal sequences (e.g., <code>../../../../</code>).</li>
<li>The <code>UsersWP_Validation::validate_fields()</code> function processes this input but fails to properly sanitize the directory traversal sequences.</li>
<li>The <code>upload_file_remove()</code> AJAX handler receives the unsanitized path and constructs a full file path for deletion.</li>
<li>This construction involves concatenating the WordPress uploads base directory with the attacker-controlled, directory-traversal-laden path, without performing <code>realpath</code> canonicalization or boundary checks.</li>
<li>The handler then invokes the <code>unlink()</code> function with the maliciously constructed arbitrary file path.</li>
<li>This results in the deletion of arbitrary files on the web server, potentially including critical files like <code>wp-config.php</code>, leading to site unavailability or further compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The arbitrary file deletion vulnerability (CVE-2026-13492) allows authenticated attackers to delete critical files on the victim's WordPress server, including the <code>wp-config.php</code> file, which contains database credentials and other vital configuration settings. Successful exploitation can lead to a complete denial of service for the website, requiring manual intervention to restore functionality. Furthermore, the ability to delete arbitrary files could be leveraged by attackers as a step towards achieving greater compromise, such as clearing logs to evade detection or disrupting security mechanisms. The CVSS v3.1 Base Score of 8.8 reflects the high severity of this vulnerability.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update the UsersWP plugin to a version greater than 1.2.65 to patch CVE-2026-13492.</li>
<li>Review web server access logs for unusual HTTP POST requests to AJAX endpoints, specifically <code>wp-admin/admin-ajax.php?action=userswp_upload_file_remove</code>, containing path traversal sequences (e.g., <code>../</code>, <code>..\</code>) in parameters, to detect potential exploitation attempts of CVE-2026-13492.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>vulnerability</category><category>web</category><category>file-deletion</category><category>remote-code-execution</category></item></channel></rss>