External risk intelligence

WordPress plugin allows attackers to upload harmful files to your server

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-4885

A critical flaw in the Piotnet Addons for Elementor Pro WordPress plugin lets unauthenticated attackers upload dangerous files to your server, potentially allowing them to run any code they want.

4Halo Surface Signal

Unrestricted File Upload

External exposure likelihood

Halo Surface Signal score for CVE-2026-4885

The vulnerability exists within a WordPress plugin used for creating interactive web forms. These forms are designed to be embedded in public-facing websites to collect user input, making the vulnerable endpoint inherently reachable via the internet as part of normal web application deployment.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in the Piotnet Addons for Elementor Pro WordPress plugin allows unauthenticated attackers to upload malicious files to the server. This could potentially lead to the execution of arbitrary code on your website.

  • Reachable from the internet.
  • Requires a file upload field to be present.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could exploit this flaw by uploading a malicious file, such as a PHP web shell, through a form created by the Piotnet Addons for Elementor Pro plugin. This is possible because the plugin fails to properly validate uploaded file types, allowing dangerous extensions like `.phar` or `.phtml` to bypass security checks. Successful exploitation could lead to remote code execution on the target server.

  • Requires a file field in form.
  • Target is a form builder function.
  • Unauthenticated remote access.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in the Piotnet Addons for Elementor Pro plugin allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution. While the vulnerability requires a file field to be added to a form for exploitation, the absence of comprehensive file type validation on the server-side is a significant weakness. Attackers may find this appealing due to the widespread use of WordPress and Elementor for website creation, making vulnerable sites a common target.

  • Unauthenticated remote code execution possible.
  • Incomplete extension blacklist.
  • Exploitable via form file fields.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Focus on identifying and blocking malicious traffic targeting the Piotnet Addons for Elementor Pro plugin, as it allows unauthenticated attackers to upload arbitrary files. Prioritize investigating any form submissions that may have been used to exploit this vulnerability to assess the extent of potential code execution.

  • Block uploads via the 'pafe_ajax_form_builder' endpoint.
  • Monitor for unusual file uploads or execution.
  • Update Piotnet Addons for Elementor Pro to version 7.1.71 or later.

Frequently asked questions

What is Piotnet Addons for Elementor Pro?

Piotnet Addons for Elementor Pro is a plugin for WordPress websites that enhances the functionality of the Elementor page builder. It is used to create and customize interactive web forms, allowing website owners to collect user information.

What kind of weakness does CVE-2026-4885 represent?

CVE-2026-4885 is an arbitrary file upload vulnerability. This means the Piotnet Addons for Elementor Pro plugin incorrectly allows users to upload files that are not the intended type, potentially including malicious executables or scripts.

What are the conditions needed to exploit this vulnerability?

An attacker can exploit this vulnerability if a file upload field is present within a form created by the Piotnet Addons for Elementor Pro plugin. The plugin's failure to properly validate file extensions allows dangerous file types to be uploaded, even if they are not intended.

Who is at risk from this vulnerability?

This vulnerability is relevant to anyone running the Piotnet Addons for Elementor Pro plugin on their WordPress site, especially if that site is internet-facing. The Halo Surface Signal indicates this vulnerability is likely reachable via the internet as part of normal website operations.

What is the first step to address this threat?

The immediate first step is to update the Piotnet Addons for Elementor Pro plugin to version 7.1.71 or later. This update is expected to include fixes for the missing file type validation that allows arbitrary file uploads.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished