Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-4883: Piotnet Forms for WordPress allows attackers to upload any file type
CVE-2026-4883
Summary
The Piotnet Forms plugin for WordPress doesn't properly check the type of files being uploaded, which means an attacker can upload any type of file. This could allow an attacker to execute malicious code on the site. To fix this, update the plugin to the latest version or remove it if you're not using it.
Original title
The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'piotnetforms_ajax_form_builder' function in all versions up to, and includi...
Original description
The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'piotnetforms_ajax_form_builder' function in all versions up to, and including, 2.1.40. The plugin uses an incomplete extension blacklist that only blocks php, phpt, php5, php7, and exe extensions, while allowing dangerous extensions such as .phar or .phtml to be uploaded. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The exploit can only be exploited if a file field is added to the form.
nvd CVSS3.1
9.8
Vulnerability type
CWE-434
Unrestricted File Upload
Published: 19 May 2026 · Updated: 28 May 2026 · First seen: 19 May 2026