CVE-2026-4882:
CVE-2026-4882 is a critical arbitrary file upload vulnerability in the User Registration Advanced Fields plugin for WordPress (versions up to and including 1.6.20) that allows unauthenticated attackers to upload arbitrary files, potentially enabling remote code execution.
Score
A numerical rating that indicates how dangerous this vulnerability is.
9.8Critical- Published Date:May 2, 2026
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:0.1
- EPSS Percentile:20%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
CVE-2026-4882 is a critical arbitrary file upload vulnerability in the User Registration Advanced Fields plugin for WordPress (versions up to and including 1.6.20) that allows unauthenticated attackers to upload arbitrary files, potentially enabling remote code execution.
Overview
CVE-2026-4882 affects the User Registration Advanced Fields plugin for WordPress in all versions up to and including 1.6.20. The vulnerability stems from missing file type validation in the `URAF_AJAX::method_upload` function, which handles file uploads associated with the "Profile Picture" registration field. Because no authentication is required and no file type restrictions are enforced, a remote attacker can upload arbitrary files — such as PHP webshells — directly to the server. This can lead to remote code execution, allowing full compromise of the hosting environment. The vulnerability is only exploitable when a "Profile Picture" field is present on a registration form, but this is a routine configuration for sites using the plugin. With a CVSS score of 9.8, this represents one of the most severe classes of web application vulnerabilities.
Remediation
- Site administrators using the User Registration Advanced Fields plugin should take the following steps to remediate this vulnerability. Update the plugin to a version released after 1.6.20 that addresses the file type validation issue, as referenced in the vendor's changelog. If an update is not immediately available, consider temporarily removing any "Profile Picture" fields from registration forms to eliminate the attack surface, or disabling the plugin entirely until a patch is applied. Review server-side upload directories for any unexpected or suspicious files that may indicate prior exploitation. Implement web application firewall (WAF) rules to restrict unauthorized file upload attempts, and audit file permissions on the web server to limit the executability of uploaded files. Regularly monitor plugin update channels and security advisories for further guidance.
References
- - [CVE-2026-4882 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-4882)
- - [Wordfence Threat Intelligence Advisory](https://www.wordfence.com/threat-intel/vulnerabilities/id/f2c6a377-216f-4d61-8fae-ec5bc2793cdf?source=cve)
- - [User Registration Advanced Fields - Plugin Page](https://wpuserregistration.com/features/advanced-fields/)
- - [CWE-434: Unrestricted Upload of File with Dangerous Type](https://cwe.mitre.org/data/definitions/434.html)
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
