Arbitrary File Deletion in Simple Coherent Form Plugin for WordPress
CVE-2026-14487
What is CVE-2026-14487?
The Simple Coherent Form plugin for WordPress is affected by an arbitrary file deletion vulnerability that arises from insufficient file path validation in the removeUploadDir function. This vulnerability is present in all versions up to and including 2.4.13. It allows unauthenticated attackers to delete arbitrary files from the server, potentially leading to remote code execution if critical files, such as wp-config.php, are targeted. The scf_get_id_upload endpoint issues a valid scf_upload_file_removal nonce to unauthenticated visitors without proper restrictions, while the secondary hash check can be easily forged due to reliance on a hardcoded salt in the plugin's source code, thus negating effective authorization controls.
Affected Version(s)
Simple Coherent Form 0 <= 2.4.13