CVE Watch · Last verified 2026-05-19
Piotnet Addons for Elementor Pro — CVE-2026-4885
If your Elementor forms accept file uploads, an unauthenticated attacker can
drop a PHP shell on your server right now. The plugin's blacklist blocks
.php but misses .phar and .phtml.
Apache and most shared hosts execute both. No login required. CVSS 9.8.
Verified facts
- CVE-2026-4885 — unauthenticated arbitrary file upload via
pafe_ajax_form_builder. CVSS 9.8 (Critical). CWE-434: Unrestricted Upload of File with Dangerous Type. - Affected versions: Piotnet Addons for Elementor Pro ≤ 7.1.70.
- Root cause: the extension blacklist only blocks
.php,.phpt,.php5,.php7, and.exe. It allows.phar,.phtml,.php8, and.shtmlthrough unchecked. - Condition: at least one Piotnet form on your site must include a file upload field. No authentication needed to submit.
- Impact: full remote code execution as the web server user. Attacker gets shell access to your hosting account.
- PoC status: exploit signal detected (Wordfence Intelligence).
Who's at risk?
You're exposed if all of these are true: you run WordPress, you use Piotnet Addons for Elementor Pro (the paid version), you have at least one form with a file upload field, and your version is 7.1.70 or below. The free version of Piotnet Addons may also be affected but isn't confirmed yet.
If you don't use Piotnet at all, you're clear. If you use Elementor but with a different form plugin (like Elementor Pro's native forms or WPForms), this CVE doesn't touch you.
Self-check (under 5 minutes)
Step 1: Check if Piotnet is installed
WordPress admin → Plugins → Installed Plugins. Search for "Piotnet". You're looking for Piotnet Addons For Elementor Pro or Piotnet Addons For Elementor. If it's not there, stop here. You're not affected.
Step 2: Confirm the version
The version number sits right below the plugin name on the Plugins page. If it reads 7.1.71 or higher, you're patched. If it's 7.1.70 or lower, keep going.
Step 3: Check for file upload forms
Open Elementor and look through your pages for any Piotnet form widget that includes a File Upload field. If none of your forms accept file uploads, the attack surface doesn't exist even on a vulnerable version. Still update, but the urgency drops.
Step 4: Hunt for webshells
Connect via FTP or SSH and check your uploads directory:
find /path/to/wp-content/uploads/ -name "*.phar" -o -name "*.phtml" -o -name "*.php8" -o -name "*.shtml" | head -20
Any .phar or .phtml file in uploads is almost
certainly a webshell. Don't open it in a browser. Download it and inspect
the source, or just delete it and check your access logs for the upload
timestamp.
Step 5: Update immediately
WordPress admin → Plugins → Piotnet Addons For Elementor Pro → Update Now. Confirm version shows 7.1.71+. If the update isn't available through your dashboard, download the latest release directly from pafe.piotnet.com and upload the zip manually.
Free resources
- Full self-check guide — step-by-step walkthrough with detection commands, log analysis, and cleanup
- Website Security Scorecard — quick public-surface grade for your WordPress URL
- Wordfence Advisory — original vulnerability disclosure
Need help fixing this vulnerability?
Professional remediation by the same team that tracks these threats.
Want CVE alerts before they hit the news?
We run a public CVE early-warning radar filtering NVD and CISA KEV for WordPress, hosting, and small-site infrastructure. One alert per Critical CVE. No spam.
References
Ping7 is not affiliated with Piotnet or Elementor. All trademarks belong to their respective owners. This page references public CVE data only and does not include proof-of-concept code or exploitation steps beyond what public advisories already describe.