SYS::ONLINE
Wasteland.
Briefs1132
Issues18
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-14487 2026-07-08

CVE-2026-14487: Unauthenticated Arbitrary File Deletion in WordPress Simple Coherent Form Plugin

"A critical (CVSS 9.1) flaw lets unauthenticated attackers delete arbitrary files on servers running the Simple Coherent Form plugin, a path that can escalate to remote code execution."

A critical (CVSS 9.1) flaw lets unauthenticated attackers delete arbitrary files on servers running the Simple Coherent Form plugin, a path that can escalate to remote code execution.

What Is It

CVE-2026-14487 is an arbitrary file deletion vulnerability (CWE-22, path traversal) in the Simple Coherent Form plugin for WordPress by vendor tombgtn. The root cause is insufficient file path validation in the removeUploadDir function. According to the NVD record, the plugin's authorization controls do not present a real security boundary: the scf_get_id_upload endpoint freely issues a valid scf_upload_file_removal nonce to any unauthenticated visitor, and the removal endpoint's secondary hash check is forgeable offline because it relies on a hardcoded salt embedded in the plugin source.

Why It Matters

The vulnerability is rated CRITICAL with a CVSS 3.1 base score of 9.1 (vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H). It is remotely exploitable over the network, requires low attack complexity, and needs no privileges or user interaction. Because attackers can delete arbitrary files, the NVD notes this can easily lead to remote code execution when the right file is deleted; for example, wp-config.php. The impact scoring reflects high integrity and high availability damage.

What's Vulnerable

Patch Status

The supplied source material does not include a CISA KEV entry, so there is no confirmation of active exploitation at this time. The NVD record (published 2026-07-08, status "Received") does not specify a fixed version or required remediation action. Administrators should treat the plugin as unpatched based on this data and monitor the Wordfence advisory for a fix.

Sources