Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-4883 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-4883 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-4883 is an arbitrary file upload vulnerability in the Piotnet Forms plugin for WordPress, affecting all versions up to and including the latest patched release, stemming from missing file type validation in the plugin's form builder AJAX handler.

Technical Detail

The flaw exists in the piotnetforms_ajax_form_builder function, which processes file upload requests without validating or restricting the file types submitted by users. An unauthenticated or low-privileged attacker can submit a crafted form request containing a malicious file, such as a PHP web shell, which the server will store in an accessible directory. Successful exploitation results in remote code execution (RCE) on the underlying web server, with the process running under the web server's user context.

Exploitation Status

No known exploit has been publicly documented or observed at this time. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Despite the absence of confirmed exploitation, the critical CVSS score of 9.8 and the unauthenticated attack vector make this a high-priority patching target, as file upload vulnerabilities of this class are routinely weaponized once details become public.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor activity has been associated with this CVE as of May 26, 2026.

What To Do

WordPress site operators running the Piotnet Forms plugin should update to the latest patched version immediately, prioritizing any internet-facing installations. If an immediate patch cannot be applied, consider disabling the plugin until remediation is possible, or restrict access to the AJAX endpoint via web application firewall rules blocking unauthenticated file upload requests to wp-admin/admin-ajax.php with the relevant action parameter. Detection efforts should focus on monitoring for unexpected PHP or script files written to WordPress upload directories, anomalous POST requests to the AJAX handler containing file data, and any new web shell activity originating from the web server process. Given the critical severity and straightforward exploitation path, treat this as a patch-now priority regardless of current exploitation status.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →