Introduction
An incomplete file extension blacklist in a popular WordPress form builder plugin has opened the door to unauthenticated remote code execution on potentially thousands of WordPress sites. CVE-2026-4885 affects Piotnet Addons for Elementor Pro, a plugin that extends the widely used Elementor page builder with advanced form functionality, and it carries a CVSS score of 9.8 with no patch currently available.
Piotnet Addons for Elementor is developed by Piotnetdotcom and provides additional widgets, form builders, and interactive elements for WordPress sites using Elementor. The free version alone has over 30,000 active installations on the WordPress plugin repository, and the Pro version extends this with premium features including advanced form file uploads. As a plugin that sits in the critical path of user input handling on WordPress sites, vulnerabilities in this component have direct implications for site integrity.
Technical Information
The vulnerability resides in the pafe_ajax_form_builder function, which handles file uploads submitted through forms built with Piotnet Addons for Elementor Pro. The function implements file type validation using an extension blacklist approach rather than an allowlist. This blacklist is incomplete: it blocks the extensions php, phpt, php5, php7, and exe, but it does not account for other extensions that Apache and other web servers can be configured to interpret as executable PHP code.
The following table illustrates the gap in the blacklist:
| Extension | Blocked by PAFE Pro 7.1.70 | Execution Risk |
|---|---|---|
| .php | Yes | High |
| .phpt | Yes | High |
| .php5 | Yes | High |
| .php7 | Yes | High |
| .exe | Yes | High |
| .phar | No | High |
| .phtml | No | High |
On many default or common Apache configurations, files with .phar (PHP Archive) and .phtml (PHP HTML) extensions are processed by the PHP interpreter. This means an attacker can craft a PHP webshell or other malicious payload, save it with one of these extensions, and upload it through the form. The server will then execute the file contents as PHP when the uploaded file is accessed via its URL.
Attack Flow
The exploitation path is straightforward and requires no authentication:
- The attacker identifies a WordPress site running Piotnet Addons for Elementor Pro version 7.1.70 or earlier.
- The attacker locates a form on the site that includes a file upload field generated by the plugin.
- The attacker crafts a malicious PHP payload and names the file with a
.pharor.phtmlextension. - The attacker submits the form with the malicious file attached. Because the blacklist does not include these extensions, the upload succeeds without any authentication check.
- The attacker navigates to the uploaded file's URL on the server.
- The web server processes the file as PHP, executing the attacker's code with the privileges of the web server process.
The only precondition is that a file upload field must be present on at least one form built with the affected plugin. No credentials, no special headers, no complex chaining required.
This vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). It is worth noting that this is not the first time this exact function has been the source of a critical file upload flaw. In 2021, researchers at Imunify360 disclosed a similar unauthenticated file upload and remote code execution vulnerability in the same pafe_ajax_form_builder function, suggesting the underlying validation logic was never comprehensively addressed.
Affected Systems and Versions
All versions of Piotnet Addons for Elementor Pro from the initial release through version 7.1.70 (inclusive) are affected. The vulnerability is exploitable on any WordPress installation where:
- Piotnet Addons for Elementor Pro version 0 through 7.1.70 is installed and active
- At least one form created with the plugin contains a file upload field
- The web server is configured to execute
.pharor.phtmlfiles as PHP (which is common in default Apache configurations)
No patch is available as of May 19, 2026. The most recent release, version 7.1.70 (March 11, 2026), addressed Server Side Request Forgery and Cross Site Scripting issues but does not fix this file upload vulnerability.
Vendor Security History
Piotnetdotcom has a documented pattern of severe input validation and authorization vulnerabilities across their product line:
| Year | Vulnerability Type | Affected Component |
|---|---|---|
| 2021 | Unauthenticated File Upload and RCE | Piotnet Addons for Elementor Pro |
| 2023 | Access violation and unauthorized data access | Piotnet Forms |
| 2025 | Cross Site Scripting | Piotnet Addons For Elementor |
| 2026 | Unauthenticated Arbitrary File Upload | Piotnet Addons for Elementor Pro |
The 2021 vulnerability is particularly relevant because it affected the same pafe_ajax_form_builder function. The recurrence of a nearly identical flaw in the same code path five years later raises questions about the vendor's approach to security remediation and code review.
References
- CVE Record: CVE-2026-4885
- Wordfence Threat Intelligence: Piotnet Addons for Elementor Pro Unauthenticated Arbitrary File Upload
- Piotnet Addons for Elementor Pro Official Site
- PAFE Change Log
- Piotnet Addons For Elementor on WordPress.org
- Imunify360: High Severity Vulnerabilities in Piotnet Forms and Piotnet Addons for Elementor Pro
- Access Violation Vulnerability in Piotnet Forms 1.0.25
- CISA Vulnerability Summary for the Week of March 31, 2025
- Entryzero Weekly Briefing: Top Hacker Relevant Vulnerabilities



