Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1810+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-14487: WordPress Simple Coherent Form Plugin — Critical Unauthenticated File Deletion
CVE-2026-14487: WordPress Simple Coherent Form Plugin — Critical Unauthenticated File Deletion

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-14487

CVE-2026-14487: WordPress Simple Coherent Form Plugin — Critical Unauthenticated File Deletion

A critical CVSS 9.1 vulnerability in the Simple Coherent Form WordPress plugin allows unauthenticated attackers to delete arbitrary files on the server, potentially leading to remote code execution or complete site takedown.

Dylan H.

Security Team

July 8, 2026
4 min read

Affected Products

  • Simple Coherent Form for WordPress <= 2.4.13

Executive Summary

A critical unauthenticated arbitrary file deletion vulnerability has been disclosed in the Simple Coherent Form plugin for WordPress. Tracked as CVE-2026-14487 with a CVSS score of 9.1, the flaw exists in the removeUploadDir function and affects all versions up to and including 2.4.13.

Unauthenticated attackers can exploit this vulnerability to delete arbitrary files on the web server — including WordPress core files, configuration files (such as wp-config.php), or .htaccess entries — potentially leading to complete site compromise or remote code execution through secondary attack chains.

CVSS Score: 9.1 (Critical)


Vulnerability Overview

AttributeValue
CVE IDCVE-2026-14487
CVSS Score9.1 (Critical)
TypeArbitrary File Deletion
Attack VectorNetwork
AuthenticationNone required
Privileges RequiredNone
User InteractionNone
Affected PluginSimple Coherent Form
Affected VersionsAll versions <= 2.4.13

Root Cause

The vulnerability stems from insufficient file path validation in the removeUploadDir function. The plugin fails to sanitize or restrict the file paths provided to this function, allowing an unauthenticated attacker to supply arbitrary paths — traversing outside of the intended upload directory and deleting critical server files.


Affected Versions and Patches

ComponentAffected VersionsStatus
Simple Coherent Form (WordPress)All versions <= 2.4.13Patch status — check plugin repository

Recommended Action: Update to the latest version of the plugin immediately. If no patch is available, deactivate and remove the plugin until a fix is released.


Impact

Direct Impact

Successful exploitation allows an attacker to:

  • Delete arbitrary files on the server filesystem, including:
    • wp-config.php (disables the WordPress site and may trigger re-installation)
    • .htaccess (removes access controls and URL routing)
    • WordPress core files (breaks site functionality)
    • Custom theme/plugin files

Secondary Attack Chain

Deleting wp-config.php forces WordPress into a setup state where a new admin account can be created — effectively handing full administrative control to the attacker without ever needing existing credentials.


Attack Scenario

1. Attacker identifies a WordPress site running Simple Coherent Form <= 2.4.13
2. Sends a crafted unauthenticated request to the removeUploadDir function
3. Supplies a path-traversal payload to target wp-config.php or .htaccess
4. Server deletes the targeted file without authentication checks
5. Attacker accesses wp-admin/install.php to create a new admin user
6. Full site takeover achieved

Remediation

Immediate Steps

  1. Update Simple Coherent Form to the latest patched version
  2. If no patch is available: Deactivate and delete the plugin immediately
  3. Audit file integrity: Check that wp-config.php, .htaccess, and core WordPress files are intact
  4. Review access logs: Look for suspicious requests to the removeUploadDir endpoint from unauthenticated sources

WordPress Hardening

  • Disable file editing in wp-config.php: define('DISALLOW_FILE_EDIT', true);
  • Implement a Web Application Firewall (WAF) to block path traversal attempts
  • Restrict filesystem permissions — web server should not have delete access outside the webroot
  • Use WordPress integrity monitoring to detect unauthorized file changes

Detection

Log Indicators

Watch for unauthenticated POST requests targeting admin-ajax or REST endpoints associated with removeUploadDir. Signs of exploitation include:

IndicatorDescription
Requests to removeUploadDir action from unauthenticated IPsDirect exploitation attempt
Missing wp-config.php or .htaccessPost-exploitation file deletion
Access to wp-admin/install.php after initial setupRe-installation takeover attempt
New admin users created at unusual timesPost-exploitation account creation

Key Takeaways

  1. CVSS 9.1 Critical — Unauthenticated arbitrary file deletion with no prerequisites
  2. All versions up to 2.4.13 are affected — patch or remove the plugin immediately
  3. Chained exploitation risk: Deleting wp-config.php enables full site takeover via re-installation
  4. WordPress plugin vulnerabilities of this type are frequently mass-scanned and exploited at scale
  5. Apply WAF rules targeting path traversal sequences if immediate patching is not possible

References

  • NVD — CVE-2026-14487
  • WordPress Plugin Repository — Simple Coherent Form
  • OWASP — Path Traversal
#CVE#WordPress#File Deletion#Unauthenticated#Plugin Vulnerability#NVD

Related Articles

CVE-2026-12153: WP Learn Manager Plugin — Unauthenticated Authorization Bypass Allows Plugin Installation

A critical CVSS 9.8 authorization bypass in the WP Learn Manager WordPress plugin allows unauthenticated attackers to install and activate arbitrary plugins — effectively granting full control of the WordPress site without credentials.

5 min read

CVE-2026-9711: Critical SQL Injection in EventON WordPress Plugin (CVSS 9.8)

A critical unauthenticated SQL injection vulnerability in the EventON WordPress Virtual Event Calendar Plugin affects versions up to 5.0.11, exposing...

3 min read

CVE-2026-8095: WordPress Frontend File Manager Plugin Allows Arbitrary File Deletion

A high-severity authenticated file deletion vulnerability in the nmedia Frontend File Manager Plugin for WordPress allows subscribers to delete any file...

5 min read
Back to all Security Alerts