Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Unauthenticated network attacker (PR:N/UI:N/AV:N) with a two-request, self-defeating-nonce path (AC:L) achieves webshell RCE, yielding full C/I/A impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The Super Forms - Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 6.3.313 via the submit_form function. This is due to missing file type validation and the absence of any capability check on the submit_form nopriv AJAX handler, whose only barrier is a session nonce freely obtainable by unauthenticated visitors via a separate nopriv endpoint. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible. The nonce requirement is trivially bypassed because the super_create_nonce nopriv AJAX action allows any unauthenticated visitor to mint a valid sf_nonce and session cookie in a single prior request, reducing exploitation to two unauthenticated HTTP requests.
Articles & Coverage 1
AnalysisAI
Unauthenticated remote code execution in the Super Forms - Drag & Drop Form Builder WordPress plugin (all versions through 6.3.313) allows attackers to upload executable files via the nopriv submit_form AJAX handler, which lacks both file-type validation (CWE-434) and any capability check. The plugin's only guardrail is a session nonce, but the companion super_create_nonce nopriv action lets any visitor mint a valid sf_nonce and session cookie on demand, collapsing the attack to two unauthenticated HTTP requests. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that the Super Forms plugin (≤6.3.313) be installed and active with its default nopriv AJAX handlers reachable - the submit_form and super_create_nonce actions are exposed to logged-out visitors by default, so no non-default configuration is needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals point to genuine high priority rather than an inflated CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker first sends an unauthenticated request to the super_create_nonce nopriv AJAX action to obtain a valid sf_nonce and session cookie, then sends a second request to the submit_form nopriv handler attaching a PHP webshell as a form file upload. Because no file-type or capability check runs, the shell lands in the web-accessible uploads directory, and the attacker requests its URL to execute arbitrary code as the web server user. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - the fix is published as commit c5838f5877c72b738c54ed970935c77ae6830c3a (https://github.com/RensTillmann/super-forms/commit/c5838f5877c72b738c54ed970935c77ae6830c3a), so upgrade to the first tagged release above 6.3.313 that incorporates it, verifying against the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/e9c7fb16-efbb-41e9-be13-98e96c1e9100?source=cve). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress instances for Super Forms plugin installation and disable the plugin immediately. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42779
GHSA-f5f5-22mx-8h54