An arbitrary file upload vulnerability in the Piotnet Addons for Elementor Pro plugin allows unauthenticated attackers to execute arbitrary code on the WordPress server.

The pafe_ajax_form_builder function employs an incomplete extension blacklist, allowing unauthenticated attackers to upload malicious files (e.g., .phar or .phtml) that the server may execute.

The CVSS score of 9.8 highlights the critical risk of remote code execution. Attackers can leverage this to gain full control over the WordPress site, modify content, steal user databases, or use the site as a launchpad for further attacks.

Immediate Action: Update the Piotnet Addons for Elementor Pro plugin to the latest version immediately.

Proactive Monitoring: Scan the WordPress uploads directory for suspicious file extensions or unexpected PHP files.

Compensating Controls: Implement a Web Application Firewall (WAF) to block requests containing suspicious file uploads or attempts to access non-whitelisted file extensions.

Public Exploit Available: No