Skip to main content

Piotnet Addons for Elementor Pro CVE-2026-4885

| EUVDEUVD-2026-30849 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-05-19 Wordfence GHSA-gjqr-fmw5-p2v4
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 19, 2026 - 08:30 vuln.today

DescriptionCVE.org

The Piotnet Addons for Elementor Pro plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'pafe_ajax_form_builder' function in all versions up to, and including, 7.1.70. The plugin uses an incomplete extension blacklist that only blocks php, phpt, php5, php7, and exe extensions, while allowing dangerous extensions such as .phar or .phtml to be uploaded. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The exploit can only be exploited if a file field is added to the form.

AnalysisAI

Unauthenticated arbitrary file upload in the Piotnet Addons for Elementor Pro WordPress plugin (versions through 7.1.70) allows remote attackers to upload dangerous file types and potentially achieve remote code execution. The flaw stems from an incomplete extension blacklist in the 'pafe_ajax_form_builder' AJAX handler that fails to block executable wrappers such as .phar and .phtml. No public exploit identified at time of analysis, but the CVSS 9.8 score and unauthenticated network attack vector make this a high-priority issue for any WordPress site running the plugin with a file-upload form field.

Technical ContextAI

Piotnet Addons for Elementor Pro (PAFE) is a third-party extension that augments the Elementor Pro page builder for WordPress with additional widgets including form builders. The vulnerability resides in the 'pafe_ajax_form_builder' AJAX endpoint, which processes form submissions containing file uploads. Per the CWE-434 classification (Unrestricted Upload of File with Dangerous Type), the root cause is reliance on a denylist approach to file validation rather than an allowlist of permitted MIME types or extensions. The denylist only excludes php, phpt, php5, php7, and exe, while Apache and many PHP-FPM configurations will still execute files with .phar, .phtml, .pht, or .php3/.php4 extensions depending on the AddHandler/SetHandler directives, allowing webshell delivery via overlooked extensions. The affected CPE is cpe:2.3:a:piotnet:piotnet_addons_for_elementor_pro spanning all versions up to and including 7.1.70.

RemediationAI

No vendor-released patch version is confirmed in the available input data; administrators should consult the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/ffff2ff3-769d-4eb2-acbe-d8ce6f042581 and the vendor site https://pafe.piotnet.com/ for an updated release beyond 7.1.70. As immediate compensating controls, remove any file-upload field from PAFE-built forms (which closes the vulnerable code path per the description's own caveat) or deactivate and remove the plugin entirely if a fixed version is not yet available; both eliminate plugin functionality that depends on user file uploads. As a server-side defense, configure the web server to refuse execution of .phar, .phtml, .pht, .php3, .php4, and .phps in the wp-content/uploads directory via a .htaccess rule (SetHandler None or php_flag engine off) or equivalent nginx location block, accepting that this hardens uploads broadly but may interfere with other plugins legitimately relying on those extensions. A WAF rule from Wordfence or equivalent that blocks pafe_ajax_form_builder requests carrying non-allowlisted file extensions is a reasonable interim control until a vendor fix is verified.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-4885 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy