PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-4885 Piotnet CVE debrief

CVE-2026-4885 is a critical arbitrary file upload issue in Piotnet Addons for Elementor Pro for WordPress, affecting all versions up to and including 7.1.70. The flaw is in pafe_ajax_form_builder, where missing file type validation relies on an incomplete blacklist. Because only php, phpt, php5, php7, and exe are blocked, dangerous extensions such as .phar and .phtml may still be uploaded. The issue is unauthenticated and can potentially lead to remote code execution if the site uses a form with a file field.

Vendor
Piotnet
Product
Piotnet Addons For Elementor Pro
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-19
Advisory published
2026-05-19
Advisory updated
2026-05-19

Who should care

WordPress site owners and administrators using Piotnet Addons for Elementor Pro version 7.1.70 or earlier, managed WordPress hosts, incident responders, and security teams responsible for plugin governance and file-upload controls.

Technical summary

The vulnerability is an unauthenticated arbitrary file upload weakness caused by insufficient file type validation in pafe_ajax_form_builder. The plugin’s extension blacklist is incomplete, so attackers may upload executable or interpreter-recognized file types that are not explicitly blocked. The supplied CVE description notes the exploit requires a form that includes a file field. NVD lists the weakness as CWE-434 and rates the issue CVSS 3.1 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Defensive priority

Immediate. Treat as critical because exploitation is network-accessible, unauthenticated, and may enable full site compromise through malicious file upload.

Recommended defensive actions

  • Update Piotnet Addons for Elementor Pro to a version newer than 7.1.70 as soon as a vendor fix is available.
  • Audit all WordPress forms using this plugin for file upload fields and disable unnecessary file uploads until patched.
  • Review web server and application file-permission settings so uploaded files cannot be executed from upload directories.
  • Search for suspicious recent uploads with executable or interpreter-related extensions, including extensions not usually allowed by the application.
  • Check access logs and WordPress activity logs for unexpected POST requests to the plugin’s form-builder endpoint.
  • If the plugin is not essential, disable or remove it until remediation is confirmed.
  • Validate any compensating controls, such as WAF rules or upload filtering, but do not rely on them as the sole fix.

Evidence notes

The supplied source corpus identifies CVE-2026-4885 as a WordPress plugin vulnerability affecting Piotnet Addons for Elementor Pro up to and including 7.1.70. The source description states that pafe_ajax_form_builder lacks proper file type validation and uses an incomplete extension blacklist, allowing dangerous extensions such as .phar and .phtml. The NVD source item lists CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and CWE-434, and its metadata shows NVD status as Deferred. The vendor attribution in the prompt is marked low-confidence/needs review, so product naming here follows the CVE description and the referenced source URLs rather than assuming a fully verified vendor taxonomy.

Official resources

Publicly disclosed in the supplied NVD record on 2026-05-19; the source item also notes NVD status as Deferred. Product attribution in the supplied metadata is low-confidence and should be reviewed.