Executive Summary
CVE-2026-14894 is a critical (CVSS 9.8) arbitrary file upload vulnerability affecting the Super Forms – Drag & Drop Form Builder plugin for WordPress. All versions up to and including 6.3.313 are vulnerable. Exploitation requires no authentication and no special privileges, making this a high-priority patch target for any site running the affected plugin.
Vulnerability Details
| Field | Value |
|---|---|
| CVE ID | CVE-2026-14894 |
| CVSS Score | 9.8 (Critical) |
| Plugin | Super Forms – Drag & Drop Form Builder |
| Affected Versions | All versions ≤ 6.3.313 |
| Vulnerability Type | Arbitrary File Upload |
| Authentication Required | None (unauthenticated) |
| Published | July 10, 2026 |
Technical Analysis
The vulnerability exists in the submit_form function of the Super Forms plugin. Two compounding weaknesses enable exploitation:
- Missing file type validation — The plugin does not validate or restrict the types of files submitted through its AJAX-based form submission endpoint.
- No capability check on the
noprivAJAX handler — Thesubmit_formfunction is registered as awp_ajax_nopriv_action, meaning it is accessible to completely unauthenticated users without any WordPress nonce or permission check enforced at the capability level.
An attacker can craft a multipart form request targeting wp-admin/admin-ajax.php?action=submit_form and upload a PHP webshell or other malicious executable to the server's web-accessible directory. Once uploaded, the file can be requested directly, granting remote code execution (RCE) on the underlying server.
Impact
- Remote Code Execution via uploaded PHP shell
- Full server compromise if the web server runs with elevated privileges
- Data exfiltration, malware deployment, or use as a pivot point within a hosting environment
- Shared hosting risk: a compromised site may affect neighbouring domains on the same server
Affected Versions
| Plugin | Versions Affected |
|---|---|
| Super Forms – Drag & Drop Form Builder | ≤ 6.3.313 |
Remediation
- Update immediately to a patched version above 6.3.313 via the WordPress plugin dashboard or WP-CLI:
wp plugin update super-forms - Audit uploaded files — Check
wp-content/uploads/for any recently uploaded.php,.phtml,.phar, or other executable files. - Review server logs — Look for POST requests to
wp-admin/admin-ajax.phpwithaction=submit_formcontaining unexpected file parameters. - Implement a WAF rule to block file uploads of executable MIME types if patching is delayed.
- Consider temporary plugin deactivation until a patch is applied if the plugin is not business-critical.
Indicators of Compromise
- Unusual POST traffic to
wp-admin/admin-ajax.php?action=submit_form - Unexpected
.phpfiles inwp-content/uploads/subdirectories - New admin users created after the file upload timestamp
- Outbound connections from the web server process to unknown IPs