CVE-2026-4882

CRITICAL

User Registration Advanced Fields <= 1.6.20 - Unauthenticated Arbitrary File Upload

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-4882. PoCs published by xShadow-Here.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-4882, an unauthenticated arbitrary file upload vulnerability in the User Registration Advanced Fields WordPress plugin (versions <= 1.6.20). The exploit automates nonce discovery, file upload, and verification, leveraging a GIF89a polyglot shell to achieve remote code execution (RCE).

Description

The User Registration Advanced Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'URAF_AJAX::method_upload' function in all versions up to, and including, 1.6.20. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability can only be exploited if a "Profile Picture" field is added to the form.

Exploits (1)

nomisec WORKING POC

by xShadow-Here · poc

https://github.com/xShadow-Here/CVE-2026-4882

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-4882, an unauthenticated arbitrary file upload vulnerability in the User Registration Advanced Fields WordPress plugin (versions <= 1.6.20). The exploit automates nonce discovery, file upload, and verification, leveraging a GIF89a polyglot shell to achieve remote code execution (RCE).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: User Registration Advanced Fields WordPress plugin <= 1.6.20

No auth needed

Prerequisites: WordPress site with vulnerable plugin installed · Access to registration form paths

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 16, 2026 Full analysis →

References (2)

Core 2

Core References

https://www.wordfence.com/threat-intel/vulnerabilities/id/f2c6a377-216f-4d61-8fae-ec5bc2793cdf?source=cve

https://wpuserregistration.com/features/advanced-fields/

Scores

CVSS v3 9.8

EPSS 0.0009

EPSS Percentile 26.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

WPEverest/User Registration Advanced Fields < 1.6.20

Published May 02, 2026

Tracked Since May 02, 2026