Impact statement: CVE-2026-4882 is a critical vulnerability in the User Registration Advanced Fields add-on for WordPress. Wordfence rates it 9.8 critical, and Patchstack lists the issue as high priority with a CVSS score of 10. On vulnerable sites, unauthenticated visitors may be able to place dangerous files on the server when affected registration form features are exposed, which can lead to remote code execution risk.
This matters for membership sites, customer portals, course sites, communities, agencies, and hosting providers that allow public registration with custom profile fields. If the add-on is installed, patch first. If public registration is enabled, review the site after patching.
Who Is Affected
Check WordPress sites using the User Registration Advanced Fields add-on with the User Registration and Membership ecosystem. The riskiest sites are the ones that let visitors create accounts and submit profile information from the public web.
- Affected: User Registration Advanced Fields versions 1.6.20 and older.
- Fixed: User Registration Advanced Fields 1.6.21 or newer.
- Higher-risk use cases: public registration, customer onboarding, membership profiles, course enrollment, content restriction, paid subscription, and community accounts.
- Risk increases when registration forms collect profile media or uploaded user content.
Patch First
Update User Registration Advanced Fields to 1.6.21 or newer. Because this is an add-on, some sites may need to update through the vendor account, the WordPress dashboard, or the agency/hosting management panel instead of the public WordPress.org updater.
wp plugin list --fields=name,status,version,update --format=table
wp plugin get user-registration-advanced-fields --fields=name,version,status,update_version --format=table
wp plugin update user-registration-advanced-fields
wp cache flush
If WP-CLI does not recognize the add-on slug, update it through Dashboard > Plugins or the WPEverest/User Registration account used to license the add-on. After updating, clear page cache, object cache, security-plugin cache, and CDN cache.
Immediate Mitigation If You Cannot Patch Yet
If you cannot update immediately, reduce exposure until the patched version is installed and tested.
- Disable public registration when the site does not need it.
- Temporarily remove public profile-media collection from registration forms.
- Require manual approval for new accounts.
- Restrict registration pages to trusted users or maintenance windows.
- Use a managed WordPress firewall or virtual patch rule when available.
- Back up the site before making form or plugin changes.
Safe Verification
Do not run random public testing tools against production sites. Verify the installed version and review the site for unexpected files and account activity.
wp plugin get user-registration-advanced-fields --fields=name,version,status,update_version --format=table
wp user list --fields=ID,user_login,user_email,roles,registered --format=table
find wp-content/uploads -type f ( -name '*.php' -o -name '*.phtml' -o -name '*.phar' ) -print
That file review is not proof of compromise by itself. It is a quick way for an administrator to spot executable files in upload storage that usually should contain images, documents, and other expected media.
What To Review After Updating
For sites that had public registration enabled before patching, review the site like a small WordPress security incident.
- Unexpected executable files in upload directories.
- Recent user registrations and role changes.
- New administrator accounts that staff did not create.
- New plugin installs, plugin activations, theme changes, and theme editor activity.
- Security plugin alerts, web server access logs, PHP error logs, and hosting file-change logs.
- Unknown scheduled jobs, unfamiliar mu-plugins, and recently modified theme files.
Hosting Provider Notes
For hosting teams and agencies, prioritize sites that combine public registration with the Advanced Fields add-on. Ask customers whether they collect profile images or other uploaded profile content during sign-up. Patch the add-on, clear caches, and review writable directories before telling the customer the work is complete.
Customer messaging can stay simple: the site used a vulnerable WordPress registration add-on, the add-on was updated to a fixed version, public registration settings were reviewed, and the site was checked for unexpected users, files, plugins, themes, and administrator changes.
Hardening Checklist
- Keep WordPress core, plugins, themes, and paid add-ons current.
- Disable public registration unless the business workflow requires it.
- Use manual account approval for public membership sites.
- Limit profile media and uploaded user content to what the business actually needs.
- Require multi-factor authentication for administrators, editors, store managers, and support staff.
- Monitor writable directories for unexpected executable files.
- Keep clean backups that include both database and files, and test restore steps.
Fix I.T. Phill Guidance
Patch User Registration Advanced Fields to 1.6.21 or newer, then review public registration forms and upload storage. If the site does not truly need public profile media during sign-up, turn that piece off. The defensive order is straightforward: update, reduce public exposure, clear cache, review users, review writable files, and document what changed for the customer.
