A critical (CVSS 9.8) flaw in the Piotnet Forms WordPress plugin allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution on affected sites.
What Is It
CVE-2026-4883 is an arbitrary file upload vulnerability in the Piotnet Forms plugin for WordPress, affecting all versions up to and including 2.1.40. The flaw lives in the piotnetforms_ajax_form_builder function, which relies on an incomplete extension blacklist for file type validation. The blacklist only blocks php, phpt, php5, php7, and exe extensions; leaving other dangerous server-executable extensions such as .phar and .phtml permitted. The weakness is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type).
Why It Matters
The vulnerability is rated CRITICAL with a CVSS 3.1 base score of 9.8 (vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). It is exploitable over the network, requires no privileges, and requires no user interaction. Because unauthenticated attackers can upload files with executable extensions like .phar or .phtml, successful exploitation may yield remote code execution on the underlying web server, with high impact to confidentiality, integrity, and availability.
There is one exploitation prerequisite: a file field must be present in a form built with the plugin. Sites that expose any Piotnet Form containing a file upload field are directly reachable by anonymous attackers.
What's Vulnerable
- Product: Piotnet Forms plugin for WordPress
- Affected versions: All versions up to and including 2.1.40
- Vulnerable code path: the
piotnetforms_ajax_form_builderfunction - Precondition for exploitation: at least one form on the site must include a file upload field
This CVE is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog based on the supplied data, so no in-the-wild exploitation has been confirmed by CISA at this time.
Patch Status
The supplied NVD record (status: Received, published 2026-05-19) does not name a fixed version or explicit remediation step. Administrators running Piotnet Forms ≤ 2.1.40 should monitor the vendor and Wordfence advisory pages referenced below for an updated release, and in the interim consider disabling the plugin or removing file upload fields from any exposed forms to eliminate the exploitation precondition.