CVE-2026-14894
Received Received - Intake

Arbitrary File Upload in Super Forms WordPress Plugin

Vulnerability report for CVE-2026-14894, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: Wordfence

Description

The Super Forms – Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 6.3.313 via the submit_form function. This is due to missing file type validation and the absence of any capability check on the submit_form nopriv AJAX handler, whose only barrier is a session nonce freely obtainable by unauthenticated visitors via a separate nopriv endpoint. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible. The nonce requirement is trivially bypassed because the super_create_nonce nopriv AJAX action allows any unauthenticated visitor to mint a valid sf_nonce and session cookie in a single prior request, reducing exploitation to two unauthenticated HTTP requests.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpforms super_forms to 6.3.313 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to upload potentially executable files, leading to remote code execution. This can result in unauthorized access, data breaches, or manipulation of sensitive information.

Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Therefore, exploitation of this vulnerability could lead to violations of these regulations due to failure to adequately protect data and systems.

Executive Summary

The Super Forms – Drag & Drop Form Builder plugin for WordPress up to version 6.3.313 is vulnerable to Arbitrary File Upload via its submit_form function. This happens because the plugin does not properly validate file types and lacks capability checks on the submit_form nopriv AJAX handler. Although it requires a session nonce, unauthenticated attackers can easily obtain this nonce through another nopriv AJAX action, allowing them to upload potentially executable files. This can lead to remote code execution on the affected server.

The vulnerability was fixed in version 6.3.314 by adding multiple safeguards including validating that PDF generation is enabled before processing uploads, sanitizing filenames, verifying uploaded files are valid PDFs, enforcing strict directory containment, and writing files in binary mode to prevent corruption.

Impact Analysis

This vulnerability can have severe impacts because it allows unauthenticated attackers to upload arbitrary files, including executable ones, to the server hosting the WordPress site. This can lead to remote code execution, meaning attackers could run malicious code on your server, potentially gaining full control over the website and underlying system.

Such control can result in data theft, website defacement, installation of malware, or using the server as a launchpad for further attacks.

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized file uploads to the Super Forms plugin, especially attempts to upload executable files or files that bypass normal validation.

Since the vulnerability exploits the submit_form nopriv AJAX handler, you can look for unusual HTTP POST requests to the AJAX endpoint related to Super Forms, particularly those that include file upload attempts.

Commands to detect suspicious activity might include:

  • Using web server logs to search for POST requests to admin-ajax.php with the action parameter set to submit_form from unauthenticated IPs.
  • Example command to search Apache logs: grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'submit_form'
  • Monitoring for creation of unexpected PDF or other files in the uploads directory that do not conform to expected naming or content standards.
  • Using file integrity monitoring tools to detect new or modified files in the WordPress uploads directory.
Mitigation Strategies

The immediate mitigation step is to update the Super Forms plugin to version 6.3.314 or later, where the vulnerability has been fixed.

The update includes several hardening measures such as validating PDF generation settings, sanitizing filenames, verifying PDF file headers, enforcing strict directory containment, and writing files in binary mode to prevent arbitrary file uploads.

If updating immediately is not possible, consider temporarily disabling the Super Forms plugin or restricting access to the AJAX endpoints to authenticated users only.

Additionally, monitor your system for any signs of exploitation and remove any suspicious files found in the uploads directory.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14894. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart