🚨 BREAKING

CVE-2026-4885: Piotnet Addons for Elementor Pro RCE via File Upload

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityremote-code-executioncwe-434
CVE-2026-4885: Piotnet Addons for Elementor Pro RCE via File Upload

The National Vulnerability Database has issued a critical advisory for CVE-2026-4885, impacting the Piotnet Addons for Elementor Pro plugin for WordPress. This vulnerability, present in all versions up to and including 7.1.70, allows unauthenticated attackers to upload arbitrary files due to inadequate file type validation in the pafe_ajax_form_builder function. The plugin’s blacklist for extensions is incomplete, failing to block dangerous types like .phar and .phtml.

This oversight enables attackers to bypass basic security controls and introduce malicious files onto the server. If a form with a file upload field is present, this flaw can be exploited to achieve remote code execution (RCE). The National Vulnerability Database assigns this a CVSS score of 9.8 (CRITICAL), underscoring the severe risk it poses to affected WordPress sites.

For defenders, this is a clear-cut case of a critical vulnerability that can lead directly to full system compromise. The attacker’s calculus is simple: find a site running a vulnerable version with a form that includes a file upload field, then exploit the weak validation to drop a web shell or other malicious script. This bypasses authentication, making it a low-friction, high-impact attack vector.

What This Means For You

  • If your organization uses the Piotnet Addons for Elementor Pro plugin, you need to immediately verify your version. Patch to the latest available version beyond 7.1.70. If patching isn't possible, audit all forms for file upload fields and consider disabling the plugin until a fix is deployed, especially on public-facing sites.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Component: File Upload Initial Access T1047 Windows Management Instrumentation Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-4885: Piotnet Addons for Elementor Pro Arbitrary File Upload (.phar, .phtml)

Sigma YAML — free preview 
title: CVE-2026-4885: Piotnet Addons for Elementor Pro Arbitrary File Upload (.phar, .phtml)
id: scw-2026-05-19-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-4885 by uploading files with dangerous extensions (.phar, .phtml) via the 'pafe_ajax_form_builder' AJAX endpoint in Piotnet Addons for Elementor Pro. This is a critical vulnerability allowing unauthenticated arbitrary file upload, leading to potential RCE.
author: SCW Feed Engine (AI-generated)
date: 2026-05-19
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-4885/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-method:
          - 'POST'
      uri|contains:
          - '/wp-admin/admin-ajax.php'
      cs-uri-query|contains:
          - 'action=pafe_ajax_form_builder'
      sc-status:
          - 200
  selection_indicators:
      uri|contains:
          - '.phar'
          - '.phtml'
      condition: selection AND selection_indicators
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-4885 RCE Piotnet Addons for Elementor Pro plugin for WordPress
CVE-2026-4885 Arbitrary File Upload Piotnet Addons for Elementor Pro plugin for WordPress versions <= 7.1.70
CVE-2026-4885 Arbitrary File Upload Vulnerable function: 'pafe_ajax_form_builder'
CVE-2026-4885 Arbitrary File Upload Incomplete extension blacklist allowing .phar or .phtml uploads

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 19, 2026 at 11:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8922 — Keycloak Vulnerability

CVE-2026-8922 — A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails...

vulnerabilityCVEmedium-severitycwe-303
/SCW Vulnerability Desk /MEDIUM /5.4 /⚑ 2 IOCs

CVE-2026-47317 — Samsung Open Source Escargot Vulnerability

CVE-2026-47317 — Uncontrolled Recursion vulnerability in Samsung Open Source Escargot allows Excessive Allocation. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3.

vulnerabilityCVEmedium-severitycwe-674
/SCW Vulnerability Desk /MEDIUM /5.5 /⚑ 2 IOCs /⚙ 1 Sigma

CVE-2026-47316 — Samsung Open Source Escargot Vulnerability

CVE-2026-47316 — Improper Check or Handling of Exceptional Conditions vulnerability in Samsung Open Source Escargot allows Input Data Manipulation. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3.

vulnerabilityCVEmedium-severitycwe-703
/SCW Vulnerability Desk /MEDIUM /5.5 /⚑ 2 IOCs /⚙ 4 Sigma