PatchSiren

Piotnet CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL Piotnet CVE published 2026-05-19

CVE-2026-4883

CVE-2026-4883 describes a critical file upload flaw in the Piotnet Forms WordPress plugin. The issue affects versions up to and including 2.1.40 and can allow unauthenticated attackers to upload arbitrary files, which may lead to remote code execution if the uploaded content is executable on the server. The supplied record notes that exploitation requires a file field to be added to the form.

CRITICAL Piotnet CVE published 2026-05-19

CVE-2026-4885

CVE-2026-4885 is a critical arbitrary file upload issue in Piotnet Addons for Elementor Pro for WordPress, affecting all versions up to and including 7.1.70. The flaw is in pafe_ajax_form_builder, where missing file type validation relies on an incomplete blacklist. Because only php, phpt, php5, php7, and exe are blocked, dangerous extensions such as .phar and .phtml may still be uploaded. The issue is un [truncated]