A critical (CVSS 9.8) arbitrary file upload flaw in the Super Forms – Drag & Drop Form Builder plugin lets unauthenticated attackers upload executable files and achieve remote code execution in just two HTTP requests.
What Is It
CVE-2026-14894 is an arbitrary file upload vulnerability (CWE-434) in the Super Forms – Drag & Drop Form Builder plugin for WordPress, affecting all versions up to and including 6.3.313. The flaw lives in the submit_form function: the submit_form nopriv AJAX handler performs no file type validation and no capability check. Its only barrier is a session nonce, which is trivially defeated; the super_create_nonce nopriv AJAX action lets any unauthenticated visitor mint a valid sf_nonce and session cookie in a single prior request. As a result, an unauthenticated attacker can upload files that may be executable, enabling remote code execution, and the entire attack reduces to two unauthenticated HTTP requests.
Why It Matters
The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL), with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. It is network-exploitable at low complexity, requires no privileges and no user interaction, and delivers high impact to confidentiality, integrity, and availability. Because exploitation needs no authentication and only two requests, the barrier to abuse is minimal, and successful RCE gives an attacker full control of the affected WordPress site.
What's Vulnerable
- Vendor: WebRehab
- Product: Super Forms – Drag & Drop Form Builder plugin for WordPress
- Affected versions: All versions from 0 up to and including 6.3.313
Patch Status
The supplied source material references a fix commit in the Super Forms repository (commit c5838f5). Administrators running Super Forms 6.3.313 or earlier should update to a patched release incorporating that fix. No CISA KEV entry was supplied for this CVE, so there is no confirmation of active exploitation in the provided data. NVD lists the record as "Received."
Sources
- Wordfence Threat Intelligence; https://www.wordfence.com/threat-intel/vulnerabilities/id/e9c7fb16-efbb-41e9-be13-98e96c1e9100?source=cve
- Super Forms fix commit (GitHub), https://github.com/RensTillmann/super-forms/commit/c5838f5877c72b738c54ed970935c77ae6830c3a
- NVD, CVE-2026-14894, https://nvd.nist.gov/vuln/detail/CVE-2026-14894