Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-4882 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-4882 | CVSS 9.8 (Critical) | Exploit: PoC available

What Is It

CVE-2026-4882 is an unauthenticated arbitrary file upload vulnerability in the User Registration Advanced Fields plugin for WordPress, specifically within the URAF_AJAX::method_upload function, affecting all versions up to and including 1.6.20.

Technical Detail

The flaw stems from a complete absence of file type validation in the URAF_AJAX::method_upload function, which handles profile picture uploads submitted via AJAX. An unauthenticated attacker can submit a crafted request to this endpoint and upload a malicious file, such as a PHP web shell, to the server's file system. If the uploaded file lands in a web-accessible directory and is executed by the server, this results in remote code execution (RCE) under the web server's process privileges. Exploitation requires that a "Profile Picture" field has been added to a registration form on the target site, which is a common configuration for sites using this plugin's extended functionality.

Exploitation Status

A proof-of-concept (PoC) exploit is publicly available. This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, and active in-the-wild exploitation has not been confirmed as of May 2, 2026. However, the combination of a public PoC, unauthenticated attack vector, and high-impact outcome (RCE) significantly elevates the risk of exploitation in the near term.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been identified in connection with this vulnerability. Given the broad WordPress ecosystem and the critical severity of the flaw, opportunistic mass-scanning activity is a realistic near-term concern once exploitation tooling matures beyond PoC stage.

What To Do

Update the User Registration Advanced Fields plugin to a version beyond 1.6.20 immediately upon a patched release becoming available from the vendor. If no patch is yet available, the most effective interim mitigation is to remove any "Profile Picture" field from all registration forms, which eliminates the exploitable code path entirely. Site administrators should also audit web-accessible upload directories for unexpected PHP or executable files as a detection measure. Given the CVSS score of 9.8 and the availability of a public PoC, this should be treated as a high-priority remediation item. Web application firewall rules blocking unauthenticated file upload requests to AJAX endpoints can provide an additional layer of defense in depth.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →