CVE-2026-4885
Arbitrary File Upload in Piotnet Addons for Elementor Pro
Publication date: 2026-05-19
Last updated on: 2026-05-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| piotnet | addons_for_elementor_pro | to 7.1.70 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Piotnet Addons for Elementor Pro plugin for WordPress has a vulnerability in its 'pafe_ajax_form_builder' function that allows arbitrary file uploads. This happens because the plugin does not properly validate file types when uploading files through forms.
The plugin uses an incomplete blacklist of file extensions, blocking only php, phpt, php5, php7, and exe files, but it allows dangerous extensions like .phar or .phtml to be uploaded.
As a result, unauthenticated attackers can upload arbitrary files to the server hosting the affected site, potentially enabling remote code execution. However, this exploit requires that a file upload field is present in the form.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows unauthenticated attackers to upload arbitrary files to your server.
Such file uploads can lead to remote code execution, meaning attackers could run malicious code on your server, potentially taking control of your website, stealing data, defacing your site, or using your server for further attacks.
Given the high CVSS score of 9.8, this is a critical security risk that should be addressed promptly.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability exists due to missing file type validation in the 'pafe_ajax_form_builder' function of the Piotnet Addons for Elementor Pro plugin, allowing arbitrary file uploads with dangerous extensions.
Immediate mitigation steps include:
- Update the Piotnet Addons for Elementor Pro plugin to a version later than 7.1.70 where the vulnerability is fixed.
- If an update is not immediately possible, remove or disable any file upload fields in forms created with the plugin to prevent exploitation.
- Restrict access to the form builder or the affected endpoints to authenticated and trusted users only.
- Monitor your site for any suspicious file uploads, especially files with extensions like .phar or .phtml.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution on the affected server.
Such unauthorized access and potential control over the server could lead to exposure or compromise of sensitive data, which may violate compliance requirements under standards like GDPR or HIPAA that mandate protection of personal and health information.
However, the provided information does not explicitly discuss the impact on compliance with these regulations.