Skip to content
CVSS 9.8 · CRITICAL

CVE-2026-4882

The User Registration Advanced Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'URAF_AJAX::method_upload' function in all versions up to, and including, 1.6.20. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability can only be exploited if a "Profile Picture" field is added to the form.

View on NVD

Analysis

This is an unauthenticated remote code execution vulnerability in a WordPress plugin. Although the plugin itself is niche, the severity is critical (CVSS 9.8) and it involves a common file upload bypass that is easy to exploit.

Severity

Score: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-434

EPSS

Probability of exploitation (next 30 days): 0.0006 (0.1%)
Percentile: 19.6%
EPSS: 2026-05-06

Technical description

The User Registration Advanced Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'URAF_AJAX::method_upload' function in all versions up to, and including, 1.6.20. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability can only be exploited if a "Profile Picture" field is added to the form.

Published: 5/2/2026, 5:16:00 AM
Last modified: 5/5/2026, 7:17:22 PM

References

HomeEventsBlogResourcesTeam