Executive Summary
A critical unauthenticated arbitrary file deletion vulnerability has been disclosed in the Simple Coherent Form plugin for WordPress. Tracked as CVE-2026-14487 with a CVSS score of 9.1, the flaw exists in the removeUploadDir function and affects all versions up to and including 2.4.13.
Unauthenticated attackers can exploit this vulnerability to delete arbitrary files on the web server — including WordPress core files, configuration files (such as wp-config.php), or .htaccess entries — potentially leading to complete site compromise or remote code execution through secondary attack chains.
CVSS Score: 9.1 (Critical)
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-14487 |
| CVSS Score | 9.1 (Critical) |
| Type | Arbitrary File Deletion |
| Attack Vector | Network |
| Authentication | None required |
| Privileges Required | None |
| User Interaction | None |
| Affected Plugin | Simple Coherent Form |
| Affected Versions | All versions <= 2.4.13 |
Root Cause
The vulnerability stems from insufficient file path validation in the removeUploadDir function. The plugin fails to sanitize or restrict the file paths provided to this function, allowing an unauthenticated attacker to supply arbitrary paths — traversing outside of the intended upload directory and deleting critical server files.
Affected Versions and Patches
| Component | Affected Versions | Status |
|---|---|---|
| Simple Coherent Form (WordPress) | All versions <= 2.4.13 | Patch status — check plugin repository |
Recommended Action: Update to the latest version of the plugin immediately. If no patch is available, deactivate and remove the plugin until a fix is released.
Impact
Direct Impact
Successful exploitation allows an attacker to:
- Delete arbitrary files on the server filesystem, including:
wp-config.php(disables the WordPress site and may trigger re-installation).htaccess(removes access controls and URL routing)- WordPress core files (breaks site functionality)
- Custom theme/plugin files
Secondary Attack Chain
Deleting wp-config.php forces WordPress into a setup state where a new admin account can be created — effectively handing full administrative control to the attacker without ever needing existing credentials.
Attack Scenario
1. Attacker identifies a WordPress site running Simple Coherent Form <= 2.4.13
2. Sends a crafted unauthenticated request to the removeUploadDir function
3. Supplies a path-traversal payload to target wp-config.php or .htaccess
4. Server deletes the targeted file without authentication checks
5. Attacker accesses wp-admin/install.php to create a new admin user
6. Full site takeover achievedRemediation
Immediate Steps
- Update Simple Coherent Form to the latest patched version
- If no patch is available: Deactivate and delete the plugin immediately
- Audit file integrity: Check that
wp-config.php,.htaccess, and core WordPress files are intact - Review access logs: Look for suspicious requests to the
removeUploadDirendpoint from unauthenticated sources
WordPress Hardening
- Disable file editing in
wp-config.php:define('DISALLOW_FILE_EDIT', true); - Implement a Web Application Firewall (WAF) to block path traversal attempts
- Restrict filesystem permissions — web server should not have delete access outside the webroot
- Use WordPress integrity monitoring to detect unauthorized file changes
Detection
Log Indicators
Watch for unauthenticated POST requests targeting admin-ajax or REST endpoints associated with removeUploadDir. Signs of exploitation include:
| Indicator | Description |
|---|---|
Requests to removeUploadDir action from unauthenticated IPs | Direct exploitation attempt |
Missing wp-config.php or .htaccess | Post-exploitation file deletion |
Access to wp-admin/install.php after initial setup | Re-installation takeover attempt |
| New admin users created at unusual times | Post-exploitation account creation |
Key Takeaways
- CVSS 9.1 Critical — Unauthenticated arbitrary file deletion with no prerequisites
- All versions up to 2.4.13 are affected — patch or remove the plugin immediately
- Chained exploitation risk: Deleting
wp-config.phpenables full site takeover via re-installation - WordPress plugin vulnerabilities of this type are frequently mass-scanned and exploited at scale
- Apply WAF rules targeting path traversal sequences if immediate patching is not possible