CVE-2026-14487
Received Received - Intake

Arbitrary File Deletion in Simple Coherent Form WordPress Plugin

Vulnerability report for CVE-2026-14487, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: Wordfence

Description

The Simple Coherent Form plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the removeUploadDir function in all versions up to, and including, 2.4.13. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The scf_get_id_upload endpoint freely issues a valid scf_upload_file_removal nonce to any unauthenticated visitor, and the removal endpoint's secondary hash check is forgeable offline because it relies on a hardcoded salt embedded in the plugin source, meaning neither control presents a real authorization boundary.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
simple_coherent_form plugin to 2.4.13 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Simple Coherent Form plugin for WordPress has a vulnerability that allows unauthenticated attackers to delete arbitrary files on the server. This happens because the plugin's removeUploadDir function does not properly validate file paths. Additionally, the scf_get_id_upload endpoint issues a valid file removal nonce to any visitor without authentication, and the secondary hash check used for authorization can be forged offline due to a hardcoded salt in the plugin source. This means attackers can bypass authorization controls and delete important files.

Impact Analysis

This vulnerability can have severe impacts because attackers can delete critical files on the server, such as the wp-config.php file. Deleting such files can lead to remote code execution, allowing attackers to take control of the server. Since the vulnerability requires no authentication and has a low attack complexity, it poses a high risk of exploitation, potentially resulting in significant damage to the website and server.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14487. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart