Vendor
The UsersWP plugin for WordPress contains an Arbitrary File Deletion vulnerability, CVE-2026-13492, in versions up to and including 1.2.65, allowing an authenticated attacker with Subscriber-level access or higher to exploit insufficient validation in file-field values combined with an AJAX handler that lacks proper path canonicalization to delete arbitrary files on the server, including critical files like `wp-config.php`, leading to system impact.