Piotnet Addons for Elementor Pro Arbitrary File Upload Vulnerability

Vulnerability

A vulnerability allowing arbitrary file uploads has been identified in the Piotnet Addons for Elementor Pro plugin for WordPress, affecting all versions through 7.1.70. The issue arises from inadequate file type validation in the 'pafe_ajax_form_builder' function. The plugin's extension blacklist only partially protects against harmful uploads by blocking certain file types like php and exe, while still permitting dangerous extensions such as .phar and .phtml. This flaw enables unauthenticated attackers to upload arbitrary files to the server, potentially leading to remote code execution, especially if a file upload field is included in the form.

Impact

Exploitation of this vulnerability could allow for unauthorized file uploads, which may be executed remotely, depending on the nature of the uploaded file.

Added: May 19, 2026, 8:28 AM

Updated: May 19, 2026, 8:28 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.6

remediation

0.0

relevance

8.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.6

remediation

0.0

relevance

8.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Piotnet Addons for Elementor Pro Arbitrary File Upload Vulnerability

Vulnerability

Impact

Affected Products

Piotnet Addons

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating