Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
The Piotnet Addons for Elementor Pro plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'pafe_ajax_form_builder' function in all versions up to, and including, 7.1.70. The plugin uses an incomplete extension blacklist that only blocks php, phpt, php5, php7, and exe extensions, while allowing dangerous extensions such as .phar or .phtml to be uploaded. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The exploit can only be exploited if a file field is added to the form.
AnalysisAI
Unauthenticated arbitrary file upload in the Piotnet Addons for Elementor Pro WordPress plugin (versions through 7.1.70) allows remote attackers to upload dangerous file types and potentially achieve remote code execution. The flaw stems from an incomplete extension blacklist in the 'pafe_ajax_form_builder' AJAX handler that fails to block executable wrappers such as .phar and .phtml. No public exploit identified at time of analysis, but the CVSS 9.8 score and unauthenticated network attack vector make this a high-priority issue for any WordPress site running the plugin with a file-upload form field.
Technical ContextAI
Piotnet Addons for Elementor Pro (PAFE) is a third-party extension that augments the Elementor Pro page builder for WordPress with additional widgets including form builders. The vulnerability resides in the 'pafe_ajax_form_builder' AJAX endpoint, which processes form submissions containing file uploads. Per the CWE-434 classification (Unrestricted Upload of File with Dangerous Type), the root cause is reliance on a denylist approach to file validation rather than an allowlist of permitted MIME types or extensions. The denylist only excludes php, phpt, php5, php7, and exe, while Apache and many PHP-FPM configurations will still execute files with .phar, .phtml, .pht, or .php3/.php4 extensions depending on the AddHandler/SetHandler directives, allowing webshell delivery via overlooked extensions. The affected CPE is cpe:2.3:a:piotnet:piotnet_addons_for_elementor_pro spanning all versions up to and including 7.1.70.
RemediationAI
No vendor-released patch version is confirmed in the available input data; administrators should consult the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/ffff2ff3-769d-4eb2-acbe-d8ce6f042581 and the vendor site https://pafe.piotnet.com/ for an updated release beyond 7.1.70. As immediate compensating controls, remove any file-upload field from PAFE-built forms (which closes the vulnerable code path per the description's own caveat) or deactivate and remove the plugin entirely if a fixed version is not yet available; both eliminate plugin functionality that depends on user file uploads. As a server-side defense, configure the web server to refuse execution of .phar, .phtml, .pht, .php3, .php4, and .phps in the wp-content/uploads directory via a .htaccess rule (SetHandler None or php_flag engine off) or equivalent nginx location block, accepting that this hardens uploads broadly but may interfere with other plugins legitimately relying on those extensions. A WAF rule from Wordfence or equivalent that blocks pafe_ajax_form_builder requests carrying non-allowlisted file extensions is a reasonable interim control until a vendor fix is verified.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30849
GHSA-gjqr-fmw5-p2v4