Description
The User Registration Advanced Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'URAF_AJAX::method_upload' function in all versions up to, and including, 1.6.20. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability can only be exploited if a "Profile Picture" field is added to the form.
Published: 2026-05-02
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The User Registration Advanced Fields plugin for WordPress lacks file type validation in the URAF_AJAX::method_upload function, allowing attackers to upload arbitrary files on the server. This vulnerability can enable remote code execution if the attacker uploads a malicious script. The flaw is identified as CWE-434, classifying it as an arbitrary file upload weakness.

Affected Systems

WPEverest’s User Registration Advanced Fields plugin, all releases up to and including version 1.6.20, is affected. Sites that have installed this plugin and use the "Profile Picture" field in their registration form are susceptible.

Risk and Exploitability

With a CVSS score of 9.8, the vulnerability is considered critical. EPSS data is unavailable, and it is not yet listed in CISA’s KEV catalog. Exploitation requires an unauthenticated attacker and the presence of a profile picture field on the form; the upload endpoint can be targeted by a crafted request to place malicious files on the host, potentially leading to remote code execution.

Generated by OpenCVE AI on May 2, 2026 at 06:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the User Registration Advanced Fields plugin to a version newer than 1.6.20 or delete the plugin if it is no longer needed.
  • Disable or remove the "Profile Picture" field from all registration forms so the vulnerable upload endpoint is not exposed to users.
  • Add server‑side file type validation (e.g., by configuring the web server or using a security plugin) to reject non‑image files uploaded via the plugin.
  • Monitor the plugin’s upload directory for unexpected files and review server logs for attempted exploitation attempts.

Generated by OpenCVE AI on May 2, 2026 at 06:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 05:15:00 +0000

Type Values Removed Values Added
Description The User Registration Advanced Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'URAF_AJAX::method_upload' function in all versions up to, and including, 1.6.20. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability can only be exploited if a "Profile Picture" field is added to the form.
Title User Registration Advanced Fields <= 1.6.20 - Unauthenticated Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-02T04:27:46.466Z

Reserved: 2026-03-26T08:01:39.713Z

Link: CVE-2026-4882

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T05:16:00.933

Modified: 2026-05-02T05:16:00.933

Link: CVE-2026-4882

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T07:00:06Z

Weaknesses