Top/Articles/WordPress Member Plugin 'UsersWP' Site-Takeover Flaw CVE-2026-13492 — 20,000 Sites Should Update to v1.2.66 Now
userswp-cve-cover-en

WordPress Member Plugin 'UsersWP' Site-Takeover Flaw CVE-2026-13492 — 20,000 Sites Should Update to v1.2.66 Now

A flaw (CVE-2026-13492) in the WordPress plugin UsersWP—used on over 20,000 sites to add member registration—lets an ordinary user who merely registered delete key files and push toward a full site takeover. Severity is 8.8 out of 10. The fixed version 1.2.66 is already out, and updating stops it. We explain the affected versions and what to do right now.

NewsPublished July 10, 2026 Updated today
Table of contents
Key takeaways

A flaw (CVE-2026-13492) in the WordPress plugin UsersWP—used on over 20,000 sites to add member registration—lets an ordinary user who merely registered delete key files and push toward a full site takeover. Severity is 8.8 out of 10. The fixed version 1.2.66 is already out, and updating stops it. We explain the affected versions and what to do right now.

The popular plugin that adds sign-up and login features to WordPress sites, "UsersWP," has a flaw that lets anyone who merely registered as a member on the site delete important files on it at will. Tracked as CVE-2026-13492, its severity is a high 8.8 out of 10. UsersWP is used on more than 20,000 sites, so the reach is not small.

What makes it frightening is that the deletable files include "wp-config.php," the heart of a WordPress site's configuration. If that file is deleted, the site reverts to a blank, freshly-installed state, and from there the site itself can be taken over. The more the plugin is run in its intended "anyone can register" mode, the wider the door for abuse. Fortunately, a fix, version 1.2.66, is already out, and updating stops it. If your site uses UsersWP, check your version right now.

What is UsersWP?

UsersWP is a plugin that adds a registration form, login form, profile page, and members directory to a site built with WordPress. A plugin is an add-on component that extends WordPress after the fact. With UsersWP installed, you can build a "membership site" — where visitors create their own accounts, log in, and edit their profiles — without specialist knowledge. It is widely used for online salons, community sites, and internal member pages.

In other words, by its very design, UsersWP is a plugin whose whole purpose is letting unknown visitors create member accounts. Many sites run it in a state where anyone can freely register. This month's vulnerability is troublesome precisely because that "account anyone can create" can be used as a foothold to destroy the site. Plugins that provide membership features have been targeted before — the flaw in WordPress 'Ultimate Member' that let attackers hijack administrator accounts is one example — a shared weak spot where the very doorway that welcomes users becomes the target.

What is the danger, and how far does the damage spread?

This flaw is a type of defect known technically as "path traversal." Path traversal refers to the technique of slipping a "go up one level" symbol (../) into the string that specifies where a file lives, thereby reaching files in places you should never be able to touch. UsersWP has a feature for deleting files uploaded by members, and because the check for this symbol was too lax there, it became possible to specify and delete a file located anywhere on the site.

Among the deletable files, the most dangerous is "wp-config.php," which forms the foundation of WordPress. It holds things like the database connection details, and if it disappears, WordPress mistakes itself for "a brand-new install not yet set up." In that gap, if an attacker reconnects it to a database they prepared and creates a new administrator account, the site is taken over wholesale. It does not end at "one file got deleted" — it becomes the doorway to seizing control of the entire site.

The privilege required to exploit it is only the "subscriber," the lowest level of member account. There is no need to be an administrator or editor. On a site with open registration, an attacker can create an account on the spot, so effectively anyone can stand at the starting line of the attack. This pattern of leaping from a low privilege straight to control of the site also echoes the flaw in WordPress 'WPCode' that led from editor privileges to arbitrary code execution.

Who targets this hole, and what happens?

The likely exploiters are vandals who deface and wreck sites for kicks, or attackers who hold a site hostage to demand money or rebuilding fees. Once they get through registration, they need almost no special tools, making the target an easy one. Membership sites run by individuals or small groups tend to fall behind on plugin updates because day-to-day upkeep keeps them busy, and that becomes the weak point that gets struck.

The attack flow is simple. The attacker first registers as an ordinary member on the target site, then sends a crafted deletion request from that account to erase the files that form the site's foundation. On a site that accepts registration, this first step requires no lapse by an administrator. After that, it is just a matter of taking over a site that has dropped into an initialized state.

As a result, the individual or business running the site suffers damage such as published pages going blank or being rewritten into entirely different content. From the perspective of users registered as members, personal information they entrusted may be put at risk through the post-takeover site. Once taken over, recovery costs time and money, and the site's own credibility is harmed. Takeovers exploiting WordPress plugin flaws are, in reality, reported in large numbers almost every month.

A technical look at what is happening

The problem lay in how the routine for deleting files uploaded by members was built. It has one identifier assigned to it.

CVE-2026-13492: Slipping past input checks to delete files that should be off-limits

In UsersWP, members can upload things like profile photos, and a window to delete them is provided too. This deletion routine should only ever target "files inside a designated folder that the member themselves uploaded." But the input-checking routine called "validate_fields" let level-changing symbols like "../" slipped into the file name pass through as-is, and the subsequent deletion routine "upload_file_remove" also erased files without verifying whether the specified location was inside the proper upload folder.

With these two gaps overlapping, an attacker can line up level-changing symbols in the deletion target and delete any file outside the upload folder — for example, wp-config.php. The U.S. National Institute of Standards and Technology (NIST) classifies this as being able to trace a path to off-limits locations (CWE-22, path traversal). The severity is a high 8.8 because it was judged that a low-privilege member account can seriously impact all of a site's confidentiality, integrity, and availability. The vendor fixed it by strengthening the flawed check, resolving it in version 1.2.66.

Affected versions and a map of the risk

The affected range is all versions of UsersWP 1.2.65 and earlier. The fix is 1.2.66 (released June 29, 2026), and the very next day the latest 1.2.67 came out too. How dangerous your own site is depends on the combination of the version you run and "how far you have opened up member registration." Use the table below to locate your position.

Your current situationRisk levelWhy
1.2.65 or earlier
×
anyone can register
Most dangerousAn attacker registers on the spot
and immediately has a foothold
1.2.65 or earlier
×
registration is admin-approved
Still dangerousA valid member account is needed, but
an insider or hijacked low-priv account can abuse it
1.2.66 or laterFixedThe check is strengthened
and this route is closed

Making registration approval-based is not a fundamental fix. It only slightly raises the difficulty of obtaining a valid account for the attack; the same thing happens if a malicious member, or an existing member whose password was stolen, is used. The reliable move is simply to update to version 1.2.66 or later.

The timeline so far

← Swipe to move

The fix was quietly released first, and only afterward was the vulnerability disclosed. Looking at the changelog, sites that have auto-update turned off risk being left behind on old versions. If that sounds like you, check your current version first.

What is confirmed and what is still unknown

✓ Confirmed facts

  • A subscriber-level member account can delete arbitrary files, and wp-config.php can be a target (NVD)
  • Affected are UsersWP 1.2.65 and earlier, and the fixed version 1.2.66 is already out (WordPress.org)
  • The severity is 8.8, seriously impacting confidentiality, integrity, and availability (Wordfence)

? Not yet confirmed

  • ?As of publication, there is no official report that this flaw has been used in real attacks
  • ?It is not, as of publication, on the U.S. CISA "Known Exploited Vulnerabilities (KEV)" catalog of attacks confirmed in the wild (the latest KEV status can be checked here)
  • ?Whether a proof-of-concept (PoC) demonstrating the attack has been published is not confirmed as of publication

What you can do right now

The direction is clear. The top priority is to update UsersWP to 1.2.66 or later (ideally the latest 1.2.67). From the "Plugins" screen in the WordPress admin, check whether an update notice is showing for UsersWP, and if so, apply it right away. Turning on auto-update makes it harder to be left behind should a similar issue arise in the future.

If circumstances keep you from updating immediately, stopgaps such as temporarily pausing member registration and checking whether unfamiliar new member accounts have been increasing can narrow the entry points for abuse. Also, keeping a backup of the site, including wp-config.php, makes recovery easier should it be deleted. These only buy time, though — fundamentally, a version upgrade is required.

To protect a WordPress site, the basics are to remove unused plugins and keep only the active ones up to date. Plugins that "welcome outside people," such as membership and booking features, are especially targeted, and the same caution is needed again and again — as in the case of the booking plugin LatePoint that led to site takeover.

Your roleWhat to do nowPriority
Site operatorUpdate to 1.2.66 or later
Pause registration until updated
Top
Site builder / contractorCheck delivered sites' versions
Propose enabling auto-update
High
Member using a siteStop reusing passwords
Report anything suspicious to the operator
Medium

Frequently asked questions

Q. How can I check whether my site uses UsersWP?

A. Log in to the WordPress admin and open "Plugins" in the left menu; you can tell by whether "UsersWP" appears in the list of active plugins. The version number is shown too, so if it is 1.2.65 or earlier, an update is needed. If you leave your site to a production company, ask them to check the version and update it.

Q. Am I safe if I do not accept member registration?

A. It raises the difficulty of an attack compared with letting anyone register, but it cannot be called safe. Exploitation merely needs a valid member account; the same damage can occur if an insider, or an existing member whose password was stolen, is used. Regardless of how open registration is, updating is the reliable move.

Q. Is it already being exploited?

A. As of this article, there is no confirmed official report of this flaw being used in real attacks, and it is not on CISA's Known Exploited Vulnerabilities (KEV) catalog. That said, the technique is simple, and WordPress plugin vulnerabilities are often exploited soon after disclosure, so it is safer to finish updating early.

Q. If wp-config.php is deleted, is it gone for good?

A. If you have a backup, recovery is possible. Because wp-config.php holds the database connection details, you can restore it from a backup taken before deletion, or recreate it with the correct details, and the site can be recovered. That is exactly why keeping backups of both files and the database is an effective safeguard against takeover.

In summary

This case is about how a convenient plugin that easily adds membership features can, because of its very "anyone can register" nature, become a doorway for registrants to wreck the site's foundation. CVE-2026-13492 leads from the subscriber — the lowest privilege — through the deletion of wp-config.php all the way to site takeover. With more than 20,000 sites affected, it is by no means someone else's problem.

The saving grace is that the fixed version 1.2.66 is already out. Just updating from the admin screen stops it. For plugins that welcome outside people, such as membership and booking features, it is best to treat "convenient but easily targeted" as a given and make frequent updates a habit. We will report again if new signs of exploitation emerge.

References

avatar-m-1

Makoto Horikawa

Backend Engineer / AWS / Django