🚨 BREAKING

CVE-2026-4882: WordPress Plugin Arbitrary File Upload Critical Flaw

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityremote-code-executioncwe-434
CVE-2026-4882: WordPress Plugin Arbitrary File Upload Critical Flaw

The User Registration Advanced Fields plugin for WordPress, in all versions up to and including 1.6.20, is vulnerable to arbitrary file uploads. This critical flaw, identified as CVE-2026-4882, stems from a complete lack of file type validation within the URAF_AJAX::method_upload function, according to the National Vulnerability Database.

This vulnerability allows unauthenticated attackers to upload arbitrary files to the affected site’s server. The immediate consequence is a high probability of remote code execution (RCE), giving attackers full control over the compromised WordPress instance. The National Vulnerability Database assigns this a CVSS score of 9.8 (CRITICAL), underscoring the severe impact and ease of exploitation.

Crucially, this vulnerability is not a default configuration issue; it can only be exploited if a “Profile Picture” field has been added to a form within the plugin. This configuration detail is vital for defenders to assess their exposure. The attacker’s calculus here is straightforward: find unpatched WordPress sites with this specific plugin and form field, upload a web shell, and gain RCE.

What This Means For You

  • If your organization uses the User Registration Advanced Fields plugin for WordPress, check its version immediately. If you are running version 1.6.20 or earlier, and have a "Profile Picture" field enabled on any form, your site is critically exposed. Patch or disable the plugin without delay, and audit your server logs for any suspicious file uploads or unexpected new files.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1047 Windows Management Instrumentation Execution T1505.003 Server Software Component Persistence

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-4882: WordPress User Registration Advanced Fields Arbitrary File Upload

Sigma YAML — free preview 
title: CVE-2026-4882: WordPress User Registration Advanced Fields Arbitrary File Upload
id: scw-2026-05-02-ai-1
status: experimental
level: critical
description: |
  Detects the specific AJAX action 'uraf_upload_file' used by the User Registration Advanced Fields plugin to upload files. This is the primary indicator of exploitation for CVE-2026-4882, allowing unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution.
author: SCW Feed Engine (AI-generated)
date: 2026-05-02
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-4882/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-admin/admin-ajax.php'
      cs-uri-query|contains:
          - 'action=uraf_upload_file'
      cs-method:
          - 'POST'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-4882 RCE User Registration Advanced Fields plugin for WordPress
CVE-2026-4882 Arbitrary File Upload User Registration Advanced Fields plugin for WordPress versions <= 1.6.20
CVE-2026-4882 Arbitrary File Upload Missing file type validation in 'URAF_AJAX::method_upload' function
CVE-2026-4882 Attack Vector Exploitable if a 'Profile Picture' field is added to the form

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 02, 2026 at 08:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

WordPress Profile Builder Pro: Unauthenticated PHP Object Injection Risks Site Takeover

CVE-2026-7647 — The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is...

vulnerabilityCVEhigh-severityinsecure-deserializationcwe-502
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 6 Sigma

PixelYourSite Pro Plugin SSRF Vulnerability (CVE-2026-7049)

CVE-2026-7049 — The PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to,...

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 4 IOCs /⚙ 3 Sigma

CVE-2026-6916 — Cross-Site Scripting (XSS)

CVE-2026-6916 — The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /6.4 /⚑ 2 IOCs /⚙ 3 Sigma