CVE-2026-4885
CWE-434Published: May 19, 2026· Updated: May 19, 2026
Official Description
The Piotnet Addons for Elementor Pro plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'pafe_ajax_form_builder' function in all versions up to, and including, 7.1.70. The plugin uses an incomplete extension blacklist that only blocks php, phpt, php5, php7, and exe extensions, while allowing dangerous extensions such as .phar or .phtml to be uploaded. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The exploit can only be exploited if a file field is added to the form.
Risk Analysis
This critical vulnerability in the Piotnet Addons for Elementor Pro plugin for WordPress allows unauthenticated attackers to upload arbitrary files due to inadequate file type validation. With a CVSS score of 9.8, this flaw could lead to remote code execution and full system compromise. The lack of an EPSS score means the exploitation likelihood is not yet quantified, but the high CVSS score indicates extreme urgency.
No public exploit is currently known for this vulnerability. This flaw is remotely exploitable without user interaction, provided a file field is present in a form.
To mitigate this vulnerability, users should update the Piotnet Addons for Elementor Pro plugin to a version beyond 7.1.70. Ensure all file upload functionalities are properly secured with comprehensive file type validation.
Technical Analysis
CVE-2026-4885 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.
A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 9.8.
CVSS v3.1 Vector Breakdown
Affected Vendors & Products
Exploit & PoC Resources
All References (2)
Quick Facts
Related CVEs (CWE-434)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-4885 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts