CVE-2026-13492
stiofansisland · UsersWP
The UsersWP plugin for WordPress is susceptible to an arbitrary file deletion vulnerability due to improper path validation.
Executive summary
An arbitrary file deletion vulnerability in the UsersWP plugin allows authenticated users to delete critical files from the server, potentially leading to a total system compromise.
Vulnerability
The plugin suffers from an improper limitation of a pathname to a restricted directory (CWE-22), also known as path traversal. Authenticated users with low-level privileges can manipulate input parameters to delete arbitrary files on the server hosting the WordPress installation.
Business impact
With a CVSS score of 8.8, this vulnerability poses a severe threat, as it enables the deletion of core system files, configuration files, or site data. Such an action can cause immediate and catastrophic system downtime, data loss, and potentially create a vector for further exploitation.
Remediation
Immediate Action: Update the UsersWP plugin to the latest version to apply the patch that sanitizes input paths and prevents traversal.
Proactive Monitoring: Monitor server file system integrity and access logs for attempts to access or delete files outside of the expected plugin directory.
Compensating Controls: Apply the principle of least privilege by ensuring the web server process has restricted write/delete access to the underlying file system.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The ability to delete files on the server is a critical security failure. Administrators must apply the provided patch immediately to prevent malicious actors from causing irreversible damage to the hosting environment.