CVE-2026-4885 | The Piotnet Addons for Elementor Pro plugin for WordPress is… | CVSS 9.8 CRITICAL

Description

The Piotnet Addons for Elementor Pro plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'pafe_ajax_form_builder' function in all versions up to, and including, 7.1.70. The plugin uses an incomplete extension blacklist that only blocks php, phpt, php5, php7, and exe extensions, while allowing dangerous extensions such as .phar or .phtml to be uploaded. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The exploit can only be exploited if a file field is added to the form.

Metadata

CVE ID: CVE-2026-4885
State: PUBLISHED
Assigner: Wordfence
Reserved: 2026-03-26 09:27 UTC
Published: 2026-05-19 06:46 UTC
Last updated: 2026-05-19 12:28 UTC
Primary CWE: CWE-434
CWE-434 Unrestricted Upload of File with Dangerous Type
Vendor / Product: Piotnet / Piotnet Addons For Elementor Pro
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Piotnet	Piotnet Addons For Elementor Pro	—	0 ≤ 7.1.70

Weakness (CWE)

CWE	Source	Description
CWE-434	cna	CWE-434 Unrestricted Upload of File with Dangerous Type

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)