CVE-2026-4882
Published: 02 May 2026
Summary
CVE-2026-4882 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wpuserregistration (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-4882 is a critical vulnerability in the User Registration Advanced Fields plugin for WordPress, affecting all versions up to and including 1.6.20. The flaw stems from missing file type validation in the 'URAF_AJAX::method_upload' function, enabling arbitrary file uploads. Exploitation requires a "Profile Picture" field to be added to the user registration form on the affected site, potentially allowing attackers to place malicious files on the server and achieve remote code execution.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation grants high-impact confidentiality, integrity, and availability compromises, primarily through uploading web shells or other executable files that lead to full server compromise.
Advisories from sources like Wordfence detail the issue, with references available at https://www.wordfence.com/threat-intel/vulnerabilities/id/f2c6a377-216f-4d61-8fae-ec5bc2793cdf?source=cve and the plugin's feature page at https://wpuserregistration.com/features/advanced-fields/. Security practitioners should update to a patched version beyond 1.6.20 if available and review forms for the "Profile Picture" field to assess exposure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26734
Vulnerability details
The User Registration Advanced Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'URAF_AJAX::method_upload' function in all versions up to, and including, 1.6.20. This makes it possible for unauthenticated attackers to…
more
upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability can only be exploited if a "Profile Picture" field is added to the form.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin enables arbitrary file upload for RCE, directly mapping to exploitation of public-facing applications (T1190) and web shell deployment (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the flaw by patching the User Registration Advanced Fields plugin to a version beyond 1.6.20 directly eliminates the missing file type validation in the URAF_AJAX::method_upload function.
Configuring the system to exclude the 'Profile Picture' field from user registration forms disables the vulnerable upload functionality entirely.
Implementing input validation for file uploads, including type checking, directly counters the arbitrary file upload vulnerability regardless of plugin flaws.