ZeroPath at Black Hat USA 2026

Quick Look: CVE-2026-4885 — Unauthenticated Arbitrary File Upload in Piotnet Addons for Elementor Pro

A brief summary of CVE-2026-4885, a critical unauthenticated arbitrary file upload vulnerability in Piotnet Addons for Elementor Pro versions up to 7.1.70, caused by an incomplete file extension blacklist that allows dangerous extensions like .phar and .phtml.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-19

Quick Look: CVE-2026-4885 — Unauthenticated Arbitrary File Upload in Piotnet Addons for Elementor Pro
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An incomplete file extension blacklist in a popular WordPress form builder plugin has opened the door to unauthenticated remote code execution on potentially thousands of WordPress sites. CVE-2026-4885 affects Piotnet Addons for Elementor Pro, a plugin that extends the widely used Elementor page builder with advanced form functionality, and it carries a CVSS score of 9.8 with no patch currently available.

Piotnet Addons for Elementor is developed by Piotnetdotcom and provides additional widgets, form builders, and interactive elements for WordPress sites using Elementor. The free version alone has over 30,000 active installations on the WordPress plugin repository, and the Pro version extends this with premium features including advanced form file uploads. As a plugin that sits in the critical path of user input handling on WordPress sites, vulnerabilities in this component have direct implications for site integrity.

Technical Information

The vulnerability resides in the pafe_ajax_form_builder function, which handles file uploads submitted through forms built with Piotnet Addons for Elementor Pro. The function implements file type validation using an extension blacklist approach rather than an allowlist. This blacklist is incomplete: it blocks the extensions php, phpt, php5, php7, and exe, but it does not account for other extensions that Apache and other web servers can be configured to interpret as executable PHP code.

The following table illustrates the gap in the blacklist:

ExtensionBlocked by PAFE Pro 7.1.70Execution Risk
.phpYesHigh
.phptYesHigh
.php5YesHigh
.php7YesHigh
.exeYesHigh
.pharNoHigh
.phtmlNoHigh

On many default or common Apache configurations, files with .phar (PHP Archive) and .phtml (PHP HTML) extensions are processed by the PHP interpreter. This means an attacker can craft a PHP webshell or other malicious payload, save it with one of these extensions, and upload it through the form. The server will then execute the file contents as PHP when the uploaded file is accessed via its URL.

Attack Flow

The exploitation path is straightforward and requires no authentication:

  1. The attacker identifies a WordPress site running Piotnet Addons for Elementor Pro version 7.1.70 or earlier.
  2. The attacker locates a form on the site that includes a file upload field generated by the plugin.
  3. The attacker crafts a malicious PHP payload and names the file with a .phar or .phtml extension.
  4. The attacker submits the form with the malicious file attached. Because the blacklist does not include these extensions, the upload succeeds without any authentication check.
  5. The attacker navigates to the uploaded file's URL on the server.
  6. The web server processes the file as PHP, executing the attacker's code with the privileges of the web server process.

The only precondition is that a file upload field must be present on at least one form built with the affected plugin. No credentials, no special headers, no complex chaining required.

This vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). It is worth noting that this is not the first time this exact function has been the source of a critical file upload flaw. In 2021, researchers at Imunify360 disclosed a similar unauthenticated file upload and remote code execution vulnerability in the same pafe_ajax_form_builder function, suggesting the underlying validation logic was never comprehensively addressed.

Affected Systems and Versions

All versions of Piotnet Addons for Elementor Pro from the initial release through version 7.1.70 (inclusive) are affected. The vulnerability is exploitable on any WordPress installation where:

  • Piotnet Addons for Elementor Pro version 0 through 7.1.70 is installed and active
  • At least one form created with the plugin contains a file upload field
  • The web server is configured to execute .phar or .phtml files as PHP (which is common in default Apache configurations)

No patch is available as of May 19, 2026. The most recent release, version 7.1.70 (March 11, 2026), addressed Server Side Request Forgery and Cross Site Scripting issues but does not fix this file upload vulnerability.

Vendor Security History

Piotnetdotcom has a documented pattern of severe input validation and authorization vulnerabilities across their product line:

YearVulnerability TypeAffected Component
2021Unauthenticated File Upload and RCEPiotnet Addons for Elementor Pro
2023Access violation and unauthorized data accessPiotnet Forms
2025Cross Site ScriptingPiotnet Addons For Elementor
2026Unauthenticated Arbitrary File UploadPiotnet Addons for Elementor Pro

The 2021 vulnerability is particularly relevant because it affected the same pafe_ajax_form_builder function. The recurrence of a nearly identical flaw in the same code path five years later raises questions about the vendor's approach to security remediation and code review.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization