A critical (CVSS 9.1) flaw lets unauthenticated attackers delete arbitrary files on servers running the Simple Coherent Form plugin, a path that can escalate to remote code execution.
What Is It
CVE-2026-14487 is an arbitrary file deletion vulnerability (CWE-22, path traversal) in the Simple Coherent Form plugin for WordPress by vendor tombgtn. The root cause is insufficient file path validation in the removeUploadDir function. According to the NVD record, the plugin's authorization controls do not present a real security boundary: the scf_get_id_upload endpoint freely issues a valid scf_upload_file_removal nonce to any unauthenticated visitor, and the removal endpoint's secondary hash check is forgeable offline because it relies on a hardcoded salt embedded in the plugin source.
Why It Matters
The vulnerability is rated CRITICAL with a CVSS 3.1 base score of 9.1 (vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H). It is remotely exploitable over the network, requires low attack complexity, and needs no privileges or user interaction. Because attackers can delete arbitrary files, the NVD notes this can easily lead to remote code execution when the right file is deleted; for example, wp-config.php. The impact scoring reflects high integrity and high availability damage.
What's Vulnerable
- Product: Simple Coherent Form plugin for WordPress
- Vendor: tombgtn
- Affected versions: All versions up to and including 2.4.13
Patch Status
The supplied source material does not include a CISA KEV entry, so there is no confirmation of active exploitation at this time. The NVD record (published 2026-07-08, status "Received") does not specify a fixed version or required remediation action. Administrators should treat the plugin as unpatched based on this data and monitor the Wordfence advisory for a fix.