CVE Watch · Last verified 2026-05-19

Piotnet Addons for Elementor Pro — CVE-2026-4885

If your Elementor forms accept file uploads, an unauthenticated attacker can drop a PHP shell on your server right now. The plugin's blacklist blocks .php but misses .phar and .phtml. Apache and most shared hosts execute both. No login required. CVSS 9.8.

Verified facts

  • CVE-2026-4885 — unauthenticated arbitrary file upload via pafe_ajax_form_builder. CVSS 9.8 (Critical). CWE-434: Unrestricted Upload of File with Dangerous Type.
  • Affected versions: Piotnet Addons for Elementor Pro ≤ 7.1.70.
  • Root cause: the extension blacklist only blocks .php, .phpt, .php5, .php7, and .exe. It allows .phar, .phtml, .php8, and .shtml through unchecked.
  • Condition: at least one Piotnet form on your site must include a file upload field. No authentication needed to submit.
  • Impact: full remote code execution as the web server user. Attacker gets shell access to your hosting account.
  • PoC status: exploit signal detected (Wordfence Intelligence).

Who's at risk?

You're exposed if all of these are true: you run WordPress, you use Piotnet Addons for Elementor Pro (the paid version), you have at least one form with a file upload field, and your version is 7.1.70 or below. The free version of Piotnet Addons may also be affected but isn't confirmed yet.

If you don't use Piotnet at all, you're clear. If you use Elementor but with a different form plugin (like Elementor Pro's native forms or WPForms), this CVE doesn't touch you.

Self-check (under 5 minutes)

Step 1: Check if Piotnet is installed

WordPress admin → Plugins → Installed Plugins. Search for "Piotnet". You're looking for Piotnet Addons For Elementor Pro or Piotnet Addons For Elementor. If it's not there, stop here. You're not affected.

Step 2: Confirm the version

The version number sits right below the plugin name on the Plugins page. If it reads 7.1.71 or higher, you're patched. If it's 7.1.70 or lower, keep going.

Step 3: Check for file upload forms

Open Elementor and look through your pages for any Piotnet form widget that includes a File Upload field. If none of your forms accept file uploads, the attack surface doesn't exist even on a vulnerable version. Still update, but the urgency drops.

Step 4: Hunt for webshells

Connect via FTP or SSH and check your uploads directory:

find /path/to/wp-content/uploads/ -name "*.phar" -o -name "*.phtml" -o -name "*.php8" -o -name "*.shtml" | head -20

Any .phar or .phtml file in uploads is almost certainly a webshell. Don't open it in a browser. Download it and inspect the source, or just delete it and check your access logs for the upload timestamp.

Step 5: Update immediately

WordPress admin → Plugins → Piotnet Addons For Elementor Pro → Update Now. Confirm version shows 7.1.71+. If the update isn't available through your dashboard, download the latest release directly from pafe.piotnet.com and upload the zip manually.

Free resources

Need help fixing this vulnerability?

Professional remediation by the same team that tracks these threats.

$49 Quick Patch Call 30-min screenshare, we patch together
$99 Webshell Hunt Find + remove uploaded shells + access log review
$199 Full Security Audit Plugin audit + hardening + written report
$299–$999 Incident Response Full cleanup, forensics, and recovery
Request CVE repair

Want CVE alerts before they hit the news?

We run a public CVE early-warning radar filtering NVD and CISA KEV for WordPress, hosting, and small-site infrastructure. One alert per Critical CVE. No spam.

Subscribe to alerts

References

Ping7 is not affiliated with Piotnet or Elementor. All trademarks belong to their respective owners. This page references public CVE data only and does not include proof-of-concept code or exploitation steps beyond what public advisories already describe.