Back to overview

CVE-2026-14894

CRITICAL
9.8
CVSS 3.1
Description
The Super Forms – Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 6.3.313 via the submit_form function. This is due to missing file type validation and the absence of any capability check on the submit_form nopriv AJAX handler, whose only barrier is a session nonce freely obtainable by unauthenticated visitors via a separate nopriv endpoint. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible. The nonce requirement is trivially bypassed because the super_create_nonce nopriv AJAX action allows any unauthenticated visitor to mint a valid sf_nonce and session cookie in a single prior request, reducing exploitation to two unauthenticated HTTP requests.

Metadata

CVE ID
CVE-2026-14894
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-07-06 18:28 UTC
Published
2026-07-10 02:30 UTC
Last updated
2026-07-10 02:30 UTC
Primary CWE
CWE-434
CWE-434 Unrestricted Upload of File with Dangerous Type
Vendor / Product
WebRehab / Super Forms – Drag & Drop Form Builder
Sources
cve.org  ·  NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
WebRehab Super Forms – Drag & Drop Form Builder 0 ≤ 6.3.313
Weakness (CWE)
CWESourceDescription
CWE-434 cna CWE-434 Unrestricted Upload of File with Dangerous Type
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.8 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Back to overview