PT-2026-36566 · WordPress · User Registration Advanced Fields
Jude Nwadinobi
·
Published
2026-05-02
·
Updated
2026-05-02
·
CVE-2026-4882
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
User Registration Advanced Fields versions prior to 1.6.21
Description
The User Registration Advanced Fields plugin for WordPress allows unauthenticated attackers to upload arbitrary files to the server. This issue stems from missing file type validation within the
method upload() function of the 'URAF AJAX' class, which could lead to remote code execution. This flaw is only exploitable if a "Profile Picture" field has been added to the registration form.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
User Registration Advanced Fields