A vulnerability categorized as critical has been discovered in stiofansisland UsersWP Plugin up to 1.2.65. Impacted is the function UsersWP_Forms::upload_file_remove of the file wp-config of the component AJAX Handler. Such manipulation of the argument metadata leads to unrestricted upload.

This vulnerability is traded as CVE-2026-13492. The attack may be launched remotely. There is no exploit available.