Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-4882 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-05-02 |
| Vendor | WordPress |
| Product | User Registration Advanced Fields (plugin) |
| CVSS Score | 9.8 (critical) |
| EPSS Score | No data |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
The User Registration Advanced Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ‘URAF_AJAX::method_upload’ function in all versions up to, and including, 1.6.20. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible. Note: The vulnerability can only be exploited if a “Profile Picture” field is added to the form.
Required Actions
Update the User Registration Advanced Fields plugin to a version newer than 1.6.20 containing the patch immediately. Until the patch is deployed, remove the “Profile Picture” field from registration forms or fully disable the plugin. Scan the uploads directory for suspicious files (especially .php, .phtml) and review server logs for requests targeting the method_upload AJAX endpoint.
Who Is Affected?
This vulnerability affects User Registration Advanced Fields (plugin) for WordPress. Check whether your organization uses this plugin and whether forms include a “Profile Picture” field.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
