Skip to main content

Super Forms CVE-2026-14894

| EUVDEUVD-2026-42779 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-07-10 Wordfence GHSA-f5f5-22mx-8h54
9.8
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unauthenticated network attacker (PR:N/UI:N/AV:N) with a two-request, self-defeating-nonce path (AC:L) achieves webshell RCE, yielding full C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 10, 2026 - 04:23 vuln.today
CVE Published
Jul 10, 2026 - 02:30 nvd
CRITICAL 9.8

DescriptionCVE.org

The Super Forms - Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 6.3.313 via the submit_form function. This is due to missing file type validation and the absence of any capability check on the submit_form nopriv AJAX handler, whose only barrier is a session nonce freely obtainable by unauthenticated visitors via a separate nopriv endpoint. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible. The nonce requirement is trivially bypassed because the super_create_nonce nopriv AJAX action allows any unauthenticated visitor to mint a valid sf_nonce and session cookie in a single prior request, reducing exploitation to two unauthenticated HTTP requests.

AnalysisAI

Unauthenticated remote code execution in the Super Forms - Drag & Drop Form Builder WordPress plugin (all versions through 6.3.313) allows attackers to upload executable files via the nopriv submit_form AJAX handler, which lacks both file-type validation (CWE-434) and any capability check. The plugin's only guardrail is a session nonce, but the companion super_create_nonce nopriv action lets any visitor mint a valid sf_nonce and session cookie on demand, collapsing the attack to two unauthenticated HTTP requests. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running Super Forms ≤6.3.313
Delivery
Request super_create_nonce to mint sf_nonce and session cookie
Exploit
POST webshell to submit_form nopriv handler
Execution
File saved unvalidated to uploads directory
Persist
Request uploaded PHP URL
Impact
Execute arbitrary code as web server user

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the Super Forms plugin (≤6.3.313) be installed and active with its default nopriv AJAX handlers reachable - the submit_form and super_create_nonce actions are exposed to logged-out visitors by default, so no non-default configuration is needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to genuine high priority rather than an inflated CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker first sends an unauthenticated request to the super_create_nonce nopriv AJAX action to obtain a valid sf_nonce and session cookie, then sends a second request to the submit_form nopriv handler attaching a PHP webshell as a form file upload. Because no file-type or capability check runs, the shell lands in the web-accessible uploads directory, and the attacker requests its URL to execute arbitrary code as the web server user. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - the fix is published as commit c5838f5877c72b738c54ed970935c77ae6830c3a (https://github.com/RensTillmann/super-forms/commit/c5838f5877c72b738c54ed970935c77ae6830c3a), so upgrade to the first tagged release above 6.3.313 that incorporates it, verifying against the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/e9c7fb16-efbb-41e9-be13-98e96c1e9100?source=cve). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress instances for Super Forms plugin installation and disable the plugin immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14894 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy