CVE-2026-4882 - WordPress User Registration Advanced Fields upload RCE

The WordPress User Registration Advanced Fields add-on versions <=1.6.20 contain a critical arbitrary file upload vulnerability in URAF_AJAX::method_upload. The vulnerable upload path does not sufficiently validate file types for the Profile Picture field, allowing an unauthenticated attacker to upload files that may become executable on the server.

Exposure depends on configuration: the public registration or profile form must include a Profile Picture field. When that condition is true, the vulnerability can become remote code execution if the uploaded file is stored where the web server or PHP runtime can execute it. During this run, the checked public sources did not confirm a patched release beyond 1.6.20, so the safe default is to disable the affected upload path or the add-on until a fixed vendor release is available and deployed.

Affected versions

Vulnerable: User Registration Advanced Fields WordPress add-on <=1.6.20
Fixed: No fixed version was confirmed from the checked public sources during this run.
Exposure condition: A public registration or profile form includes the Profile Picture field handled by the add-on.

Indicator-of-exposure

The repository owns a WordPress site, image, Bedrock/Composer project, plugin bundle, deployment manifest, or runbook that installs user-registration-advanced-fields.
A deployable WordPress target resolves User Registration Advanced Fields 1.6.20 or older.
A public registration, account, or profile form includes a Profile Picture upload field from the add-on.
The runtime stores uploaded files under a web-reachable location such as wp-content/uploads, especially if PHP execution is not explicitly denied.
Logs, templates, or plugin code reference URAF_AJAX::method_upload, method_upload, or add-on profile-picture upload handling.

Quick checks:

wp plugin list --fields=name,version,status | grep -Ei 'user-registration-advanced-fields|advanced-fields'
wp plugin status user-registration-advanced-fields
rg -n "user-registration-advanced-fields|URAF_AJAX|method_upload|profile picture|profile_picture|profile-pic|profile_pic" .
find . -path "*/wp-content/plugins/*advanced*fields*" -maxdepth 8 -type f | head
find . -path "*/wp-content/uploads/*" -type f \( -name "*.php" -o -name "*.phtml" -o -name "*.phar" \) | head

Remediation strategy

If the vendor has published a fixed release after 1.6.20, upgrade through the repository’s normal plugin delivery channel and regenerate lockfiles, image metadata, and SBOMs.
If no fixed release is available, disable or remove User Registration Advanced Fields until a patched release can be deployed.
If the add-on cannot be fully disabled, remove the Profile Picture field from every public form and block the affected upload action at the edge or in WordPress routing.
Enforce non-executable upload storage for WordPress uploads, including a web server rule that prevents PHP execution under wp-content/uploads.
Review uploaded files and web logs for suspicious executable extensions, double extensions, unexpected MIME types, and requests touching the add-on’s upload handler.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-4882 (WordPress User Registration Advanced Fields
arbitrary file upload). Produce exactly one output:

- A reviewer-ready PR/change request that removes or contains the vulnerable
  upload path, deploys a fixed vendor release if one is available, adds
  verification, and documents required operator cleanup, or
- TRIAGE.md if this repository does not own the WordPress plugin deployment or
  cannot make a safe patch.

## Rules

- Scope only CVE-2026-4882.
- Do not upload executable payloads to production or shared staging systems.
- Do not print, commit, or attach real uploaded user files, profile pictures,
  cookies, sessions, WordPress nonces, or user data.
- Do not hand-edit vendored plugin code unless no vendor upgrade is available
  and the patch is explicitly documented as temporary containment.
- Do not leave a public Profile Picture upload field enabled on a vulnerable
  add-on version.
- Do not auto-merge.

## Steps

1. Inventory WordPress ownership in this repository:
   - `wp-content/plugins/user-registration-advanced-fields`;
   - Composer, Bedrock, premium-plugin, or artifact references for User
     Registration Advanced Fields;
   - WP-CLI install scripts, Dockerfiles, build artifacts, Helm charts,
     Terraform, Ansible, or deployment runbooks;
   - SBOMs, image manifests, plugin lock/state files, and WordPress operator
     documentation.
2. If the repository does not deploy or package a WordPress site with User
   Registration Advanced Fields, stop with `TRIAGE.md` explaining what was
   checked and who owns the runtime remediation.
3. Determine the resolved User Registration Advanced Fields version for every
   deployable target. A target is vulnerable if it resolves to `<=1.6.20`.
4. Determine whether any public registration, account, profile, membership, or
   onboarding form includes the add-on's Profile Picture upload field.
5. Check whether this repository can consume a vendor release fixed after
   `1.6.20`. If yes, upgrade through the normal channel and regenerate
   Composer locks, plugin manifests, image metadata, SBOMs, or deployment
   render output as appropriate.
6. If no fixed release is available or the fixed release cannot be consumed
   immediately, implement the safest containment controlled by this repo:
   disable the add-on, remove/deactivate the Profile Picture field from public
   forms, block the affected upload handler at the edge, or add an emergency
   runbook requiring operators to disable the feature before deployment.
7. Ensure web server or platform configuration prevents PHP execution in
   WordPress upload directories. Add or update Apache, Nginx, Caddy,
   container, or hosting config where this repository owns it.
8. Add verification using a non-executable benign test file in a non-production
   environment that proves the vulnerable upload path is disabled, patched, or
   rejects dangerous file types. Do not include exploit payloads.
9. Add a PR body section named `CVE-2026-4882 operator actions` that requires:
   - confirmation production no longer runs a vulnerable public Profile
     Picture upload path;
   - confirmation of the deployed add-on version or disablement status;
   - review of `wp-content/uploads` and any custom upload directory for
     executable or suspicious files;
   - review of web logs for the add-on upload handler and unexpected upload
     requests;
   - removal or quarantine of suspicious uploads through an operator-approved
     incident process, not an automatic destructive script.
10. Run the relevant validation: Composer install/update checks, WordPress
    plugin inventory, image build, deployment rendering, web server config
    tests, PHP tests, upload smoke tests, and security scans available in this
    repository.
11. Use PR title:
    `fix(sec): remediate CVE-2026-4882 in User Registration Advanced Fields`.

## Stop conditions

- No WordPress site or User Registration Advanced Fields deployment is
  controlled by this repository.
- The plugin version or form configuration is managed exclusively in production
  outside the repo.
- No fixed vendor release is available and this repo cannot disable the add-on,
  remove the Profile Picture field, or block the upload route.
- The only apparent fix would automatically delete user uploads or expose
  private user files.
- Validation fails for unrelated pre-existing reasons; document the failure
  instead of broadening scope.

Verification - what the reviewer looks for

No deployable target still exposes User Registration Advanced Fields <=1.6.20 with a public Profile Picture upload field.
If a fixed release exists, the PR updates the real plugin delivery path, such as Composer lockfiles, WP-CLI install scripts, plugin artifact bundles, images, or deployment manifests.
If no fixed release exists, disablement or containment is explicit and deployable.
Upload storage cannot execute PHP or equivalent server-side code.
Operator actions cover uploaded-file review and web log review without exposing user files or running destructive cleanup automatically.
Build, dependency, image, deployment, and upload-path checks pass or unrelated failures are documented.

Watch for

Premium-plugin delivery paths that are not visible in WordPress.org or WPackagist but are copied into images or artifact bundles.
Sites that remove the Profile Picture field from one form while another registration, profile, or membership form still exposes it.
Upload directories where PHP execution is enabled by inherited hosting or .htaccess behavior.
Cleanup scripts that delete user uploads before operators preserve evidence and confirm whether incident response is needed.

References

GitHub Advisory: https://github.com/advisories/GHSA-97v3-45f3-3pwq
NVD CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-4882
CVE Record: https://www.cve.org/CVERecord?id=CVE-2026-4882
VulDB summary: https://vuldb.com/cve/CVE-2026-4882