Simple Coherent Form
Monthly
Arbitrary file deletion in the Simple Coherent Form WordPress plugin (all versions up to and including 2.4.13) allows unauthenticated attackers to delete any file the web server can reach, and deleting wp-config.php can cascade into full remote code execution. The plugin's two intended access controls are illusory: the scf_get_id_upload endpoint hands a valid scf_upload_file_removal nonce to any anonymous visitor, and the secondary hash check can be reproduced offline because it derives from a salt hardcoded in the plugin source. There is no public exploit identified at time of analysis, but the flaw carries a high 9.1 CVSS and reflects a genuine unauthenticated-network attack path.
Arbitrary file deletion in the Simple Coherent Form WordPress plugin (all versions up to and including 2.4.13) allows unauthenticated attackers to delete any file the web server can reach, and deleting wp-config.php can cascade into full remote code execution. The plugin's two intended access controls are illusory: the scf_get_id_upload endpoint hands a valid scf_upload_file_removal nonce to any anonymous visitor, and the secondary hash check can be reproduced offline because it derives from a salt hardcoded in the plugin source. There is no public exploit identified at time of analysis, but the flaw carries a high 9.1 CVSS and reflects a genuine unauthenticated-network attack path.