The Piotnet Forms plugin for WordPress allows unauthenticated users to upload files by bypassing the former file‑type validation in the piotnetforms_ajax_form_builder routine. Because the plugin only excludes php, phpt, php5, php7, and exe extensions, it accepts dangerous extensions such as .phar or .phtml and writes them to the server’s upload directory. An attacker can therefore place executable code on the site to obtain remote command execution capabilities. The description explicitly notes that this vulnerability is exploitable only when a form contains a file field, limiting the risk to sites that have enabled file uploads on any form. The flaw is an input validation weakness—CWE‑434—which permits untrusted content to be stored without proper filtering, enabling malicious payloads.

The vulnerability affects the Piotnet Forms WordPress plugin for all users of the class Piotnet Forms, specifically versions up to and including 2.1.40. Any WordPress installation running the plugin and with at least one form configured to accept file uploads is susceptible. No other vendors or product versions are mentioned in the CNA list.

The base CVSS score of 9.8 reflects a high severity, indicating full remote code execution possible with minimal effort and no authentication. EPSS data is not available, so the current likelihood of exploitation is unknown, but the severe impact justifies close attention. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw by sending a crafted HTTP request that includes a file field, naming a file with a dangerous extension such as .phar, and causing the plugin to store it on the web server. Once stored, an attacker may be able to execute the file through the web server or via other compromised credentials if the file is a PHP script or similar.