Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-4885 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-4885 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-4885 is an arbitrary file upload vulnerability in the Piotnet Addons for Elementor Pro plugin for WordPress, affecting all versions up to and including the patched release, stemming from missing file type validation in the plugin's form builder functionality.

Technical Detail

The flaw exists in the pafe_ajax_form_builder function, which processes file uploads without validating or restricting the file type submitted by the user. An unauthenticated or low-privileged attacker can exploit this by submitting a crafted request that uploads a malicious file, such as a PHP web shell, to the target server. Successful exploitation results in remote code execution (RCE) under the web server's process context, granting the attacker full control over the affected WordPress installation and potentially the underlying host.

Exploitation Status

No known exploit has been publicly documented at this time, and this vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. The exploit maturity is assessed as none confirmed. However, the vulnerability class (unauthenticated arbitrary file upload leading to RCE) is well understood and historically attracts rapid weaponization once disclosed, particularly against WordPress plugin targets.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this CVE as of the date of this briefing.

What To Do

Update the Piotnet Addons for Elementor Pro plugin to the latest available version immediately, as this vulnerability carries a CVSS score of 9.8 (Critical) and the attack vector requires no authentication. Site administrators who cannot patch immediately should consider disabling the plugin until an update can be applied. Web application firewall (WAF) rules that block upload of executable file types (e.g., .php, .phtml, .phar) via form submission endpoints can serve as a temporary compensating control. Detection efforts should focus on monitoring web server logs for unexpected POST requests to AJAX endpoints associated with the plugin, as well as scanning the WordPress uploads directory for newly created PHP or script files. Given the severity and exploitability of this vulnerability class, patching should be treated as an urgent priority within 24 to 48 hours of this disclosure.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →