CVE-2026-4885

Name of the Vulnerable Software and Affected Versions Piotnet Addons for Elementor Pro versions prior to 7.1.71

Description Missing file type validation in the pafe ajax form builder() function allows unauthenticated attackers to upload arbitrary files to the server. The plugin employs an incomplete extension blacklist that fails to block dangerous extensions such as .phar or .phtml, which may lead to remote code execution. This issue is only exploitable if a file field has been added to the form.

Recommendations Update to a version later than 7.1.70. As a temporary workaround, avoid adding file fields to forms until the update is applied.