CVE-2026-4885: Unauthenticated Arbitrary File Upload in Piotnet Addons for Elementor Pro

"A critical (CVSS 9.8) flaw in the Piotnet Addons for Elementor Pro WordPress plugin lets unauthenticated attackers upload arbitrary files, potentially leading to remote code execution on affected sites."

A critical (CVSS 9.8) flaw in the Piotnet Addons for Elementor Pro WordPress plugin lets unauthenticated attackers upload arbitrary files, potentially leading to remote code execution on affected sites.

What Is It

CVE-2026-4885 is an arbitrary file upload vulnerability (CWE-434) in the pafe_ajax_form_builder function of the Piotnet Addons for Elementor Pro plugin. The function relies on an incomplete extension blacklist that only blocks php, phpt, php5, php7, and exe files, while still permitting dangerous server-executable extensions such as .phar and .phtml. Because file type validation is missing, an attacker can bypass the blacklist and drop executable content onto the host.

The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, fully network-reachable, no authentication, no user interaction, with high impact across confidentiality, integrity, and availability.

Why It Matters

The vulnerability is exploitable by unauthenticated attackers over the network with low complexity. Successful upload of a .phar or .phtml payload can yield remote code execution on the underlying WordPress server, giving an attacker a foothold for full site compromise, data theft, defacement, or pivoting deeper into the hosting environment. Elementor-based sites are widely deployed, and any installation running this plugin with a form that includes a file field is reachable from the open internet.

There is no CISA KEV entry confirming in-the-wild exploitation at the time of disclosure.

What's Vulnerable

Plugin: Piotnet Addons for Elementor Pro for WordPress
Affected versions: All versions up to and including 7.1.70
Exploit precondition: A form on the site must include a file upload field for the pafe_ajax_form_builder path to be reachable.
Attacker requirements: None; unauthenticated, remote, no user interaction.

Patch Status

The NVD record (status: Received, published 2026-05-19) does not list a fixed version. Administrators should consult the vendor and Wordfence advisories below for the patched release and, in the interim, remove or disable file upload fields in Piotnet-driven forms, or deactivate the plugin until a fix is verified.

Sources

NVD, CVE-2026-4885: https://nvd.nist.gov/vuln/detail/CVE-2026-4885
Wordfence Threat Intel advisory: https://www.wordfence.com/threat-intel/vulnerabilities/id/ffff2ff3-769d-4eb2-acbe-d8ce6f042581?source=cve
Vendor; Piotnet Addons for Elementor: https://pafe.piotnet.com/