CVE-2026-4883 describes a critical file upload flaw in the Piotnet Forms WordPress plugin. The issue affects versions up to and including 2.1.40 and can allow unauthenticated attackers to upload arbitrary files, which may lead to remote code execution if the uploaded content is executable on the server. The supplied record notes that exploitation requires a file field to be added to the form.
CVE-2026-4885 is a critical arbitrary file upload issue in Piotnet Addons for Elementor Pro for WordPress, affecting all versions up to and including 7.1.70. The flaw is in pafe_ajax_form_builder, where missing file type validation relies on an incomplete blacklist. Because only php, phpt, php5, php7, and exe are blocked, dangerous extensions such as .phar and .phtml may still be uploaded. The issue is un [truncated]