<0.1% probability · 24.3th percentile — 2026-05-12
Affected versions
User Registration Advanced Fields plugin for WordPress, all versions <= 1.6.20
Summary
This vulnerability occurs due to missing file type validation in the plugin's upload function. It can be exploited by unauthenticated attackers if a Profile Picture field is added to any registration form on the site. Successful exploitation allows attackers to upload arbitrary malicious files, leading to full remote code execution on the affected server.
Remediation
Update the User Registration Advanced Fields plugin to the latest patched version immediately. Disable the plugin if a patch is not yet available. Temporarily remove all public registration forms that include a Profile Picture field to block exploitation vectors.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.