LeakyCreds
NewInstant webhook alerts now available — notified within seconds of any credential detection.Learn more →
Home / Vulnerability Intelligence / CVE-2026-4882

CVE-2026-4882 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: May 2, 2026

User Registration Advanced Fields WordPress plugin - Unrestricted File Upload

Published: May 2, 2026Updated: May 2, 2026Remote Exploitable

Overview

User Registration Advanced Fields WordPress plugin <= 1.6.20 contains an unrestricted file upload vulnerability caused by missing file type validation in 'URAF_AJAX::method_upload', letting unauthenticated attackers upload arbitrary files, exploit requires a 'Profile Picture' field in the form.

Severity & Score

Severity: Critical
CVSS Score: 9.8

Impact

Unauthenticated attackers can upload arbitrary files, potentially leading to remote code execution and full server compromise.

Mitigation

Update to the latest version beyond 1.6.20.

References

Related Resources

Details

CVE ID
CVE-2026-4882
Severity
Critical
CVSS Score
9.8
Type
unrestricted_file_upload
Status
new

CWE

  • CWE-434

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H