CVE-2026-4885

Vulnerability

Overview The Piotnet Addons for Elementor Pro plugin for WordPress is vulnerable to arbitrary file upload in versions up to and including 7.1.70. The vulnerability resides in the pafe_ajax_form_builder function, which fails to properly validate uploaded file types. The plugin relies on an incomplete extension blacklist that only blocks php, phpt, php5, php7, and exe extensions, while allowing dangerous extensions such as .phar or .phtml to be uploaded [1]. This oversight enables attackers to bypass the intended security restrictions.

Exploitation

Conditions To exploit this vulnerability, an attacker must ensure the affected Elementor form includes a file upload field. No authentication is required, making the attack surface accessible to any unauthenticated visitor of a site using the plugin. The attacker can craft a malicious file with an allowed but dangerous extension (e.g., .phar) and upload it through the form.

Impact

Successful exploitation allows an attacker to upload arbitrary files to the server. If the uploaded file is executed, this can lead to remote code execution (RCE) on the affected site's server, potentially giving the attacker full control over the WordPress installation and underlying system.

Mitigation

The vendor has not released a patch as of the publication date. The vulnerability is present in all versions up to 7.1.70. Users are advised to either disable the form file upload functionality or remove the file field from forms until a security update is available.