Skip to main content

Simple Coherent Form

1 CVEs product

Monthly

CVE-2026-14487 CRITICAL Act Now

Arbitrary file deletion in the Simple Coherent Form WordPress plugin (all versions up to and including 2.4.13) allows unauthenticated attackers to delete any file the web server can reach, and deleting wp-config.php can cascade into full remote code execution. The plugin's two intended access controls are illusory: the scf_get_id_upload endpoint hands a valid scf_upload_file_removal nonce to any anonymous visitor, and the secondary hash check can be reproduced offline because it derives from a salt hardcoded in the plugin source. There is no public exploit identified at time of analysis, but the flaw carries a high 9.1 CVSS and reflects a genuine unauthenticated-network attack path.

WordPress Path Traversal RCE PHP Simple Coherent Form
NVD VulDB
CVSS 3.1
9.1
EPSS
0.7%
EPSS 1% CVSS 9.1
CRITICAL Act Now

Arbitrary file deletion in the Simple Coherent Form WordPress plugin (all versions up to and including 2.4.13) allows unauthenticated attackers to delete any file the web server can reach, and deleting wp-config.php can cascade into full remote code execution. The plugin's two intended access controls are illusory: the scf_get_id_upload endpoint hands a valid scf_upload_file_removal nonce to any anonymous visitor, and the secondary hash check can be reproduced offline because it derives from a salt hardcoded in the plugin source. There is no public exploit identified at time of analysis, but the flaw carries a high 9.1 CVSS and reflects a genuine unauthenticated-network attack path.

WordPress Path Traversal RCE +2
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy