Home

Description

The Super Forms – Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 6.3.313 via the submit_form function. This is due to missing file type validation and the absence of any capability check on the submit_form nopriv AJAX handler, whose only barrier is a session nonce freely obtainable by unauthenticated visitors via a separate nopriv endpoint. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible. The nonce requirement is trivially bypassed because the super_create_nonce nopriv AJAX action allows any unauthenticated visitor to mint a valid sf_nonce and session cookie in a single prior request, reducing exploitation to two unauthenticated HTTP requests.

PUBLISHED Reserved 2026-07-06 | Published 2026-07-10 | Updated 2026-07-10 | Assigner Wordfence




CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-434 Unrestricted Upload of File with Dangerous Type

Product status

Default status
unaffected

Any version
affected

Timeline

2026-07-07:Vendor Notified
2026-07-09:Disclosed

Credits

andrea bocchetti finder

References

www.wordfence.com/...-efbb-41e9-be13-98e96c1e9100?source=cve

github.com/...ommit/c5838f5877c72b738c54ed970935c77ae6830c3a

cve.org (CVE-2026-14894)

nvd.nist.gov (CVE-2026-14894)

Download JSON