Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1834+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-14894: WordPress Super Forms Plugin Critical Arbitrary File Upload
CVE-2026-14894: WordPress Super Forms Plugin Critical Arbitrary File Upload

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-14894

CVE-2026-14894: WordPress Super Forms Plugin Critical Arbitrary File Upload

A critical unauthenticated arbitrary file upload vulnerability in the Super Forms plugin for WordPress (CVSS 9.8) allows attackers to upload and execute arbitrary files via a missing capability check on the submit_form AJAX handler.

Dylan H.

Security Team

July 10, 2026
3 min read

Affected Products

  • Super Forms – Drag & Drop Form Builder Plugin <= 6.3.313 (WordPress)

Executive Summary

CVE-2026-14894 is a critical (CVSS 9.8) arbitrary file upload vulnerability affecting the Super Forms – Drag & Drop Form Builder plugin for WordPress. All versions up to and including 6.3.313 are vulnerable. Exploitation requires no authentication and no special privileges, making this a high-priority patch target for any site running the affected plugin.

Vulnerability Details

FieldValue
CVE IDCVE-2026-14894
CVSS Score9.8 (Critical)
PluginSuper Forms – Drag & Drop Form Builder
Affected VersionsAll versions ≤ 6.3.313
Vulnerability TypeArbitrary File Upload
Authentication RequiredNone (unauthenticated)
PublishedJuly 10, 2026

Technical Analysis

The vulnerability exists in the submit_form function of the Super Forms plugin. Two compounding weaknesses enable exploitation:

  1. Missing file type validation — The plugin does not validate or restrict the types of files submitted through its AJAX-based form submission endpoint.
  2. No capability check on the nopriv AJAX handler — The submit_form function is registered as a wp_ajax_nopriv_ action, meaning it is accessible to completely unauthenticated users without any WordPress nonce or permission check enforced at the capability level.

An attacker can craft a multipart form request targeting wp-admin/admin-ajax.php?action=submit_form and upload a PHP webshell or other malicious executable to the server's web-accessible directory. Once uploaded, the file can be requested directly, granting remote code execution (RCE) on the underlying server.

Impact

  • Remote Code Execution via uploaded PHP shell
  • Full server compromise if the web server runs with elevated privileges
  • Data exfiltration, malware deployment, or use as a pivot point within a hosting environment
  • Shared hosting risk: a compromised site may affect neighbouring domains on the same server

Affected Versions

PluginVersions Affected
Super Forms – Drag & Drop Form Builder≤ 6.3.313

Remediation

  1. Update immediately to a patched version above 6.3.313 via the WordPress plugin dashboard or WP-CLI:
    wp plugin update super-forms
  2. Audit uploaded files — Check wp-content/uploads/ for any recently uploaded .php, .phtml, .phar, or other executable files.
  3. Review server logs — Look for POST requests to wp-admin/admin-ajax.php with action=submit_form containing unexpected file parameters.
  4. Implement a WAF rule to block file uploads of executable MIME types if patching is delayed.
  5. Consider temporary plugin deactivation until a patch is applied if the plugin is not business-critical.

Indicators of Compromise

  • Unusual POST traffic to wp-admin/admin-ajax.php?action=submit_form
  • Unexpected .php files in wp-content/uploads/ subdirectories
  • New admin users created after the file upload timestamp
  • Outbound connections from the web server process to unknown IPs

References

  • NVD Entry — CVE-2026-14894
  • WordPress Plugin Repository — Super Forms
#CVE-2026-14894#WordPress#File Upload#Arbitrary File Upload#AJAX#Plugin Vulnerability#CVSS 9.8

Related Articles

CVE-2026-15282: WordPress Instant Appointment Plugin Critical File Upload

A critical unauthenticated arbitrary file upload flaw (CVSS 9.8) in the Instant Appointment WordPress plugin allows attackers to upload and execute arbitrary files via the insapp_upload_image_as_attachment function — no authentication required.

3 min read

CVE-2026-15158: WordPress Blocksy Companion Arbitrary File Upload (CVSS 9.8)

A critical arbitrary file upload vulnerability in the Blocksy Companion WordPress plugin (versions up to 2.1.46) allows unauthenticated attackers to upload malicious PHP files by exploiting a flawed font file type filter, enabling remote code execution.

5 min read

CVE-2026-12923: YouTube Showcase WordPress Plugin Arbitrary Function Call

A high-severity arbitrary function call vulnerability in the YouTube Showcase plugin allows authenticated attackers to invoke arbitrary PHP functions via...

3 min read
Back to all Security Alerts