A critical arbitrary file upload vulnerability in the Piotnet Forms WordPress plugin allows unauthenticated attackers to achieve remote code execution.

The piotnetforms_ajax_form_builder function uses an incomplete blacklist for file uploads. An unauthenticated attacker can upload malicious files (e.g., .phar or .phtml) to the server, leading to potential RCE.

With a CVSS score of 9.8, this vulnerability is highly critical. It allows an attacker to gain a foothold on the web server, which can be leveraged to steal sensitive customer data, deface the website, or pivot into the internal hosting environment.

Immediate Action: Update the Piotnet Forms plugin to the latest version that includes a robust file validation mechanism.

Proactive Monitoring: Audit the /wp-content/uploads/ directory for any suspicious or unauthorized PHP/executable files.

Compensating Controls: Use a web application firewall (WAF) to block requests containing suspicious file extensions or direct access to uploaded files.

Public Exploit Available: false

File upload vulnerabilities are a frequent target for automated exploitation. Administrators should immediately update the plugin and conduct a security audit of the site's upload directories to ensure no malicious files have already been planted.