Arbitrary File Upload Vulnerability in Super Forms for WordPress
CVE-2026-14894
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 10 July 2026
What is CVE-2026-14894?
The Super Forms β Drag & Drop Form Builder plugin for WordPress contains a vulnerability allowing arbitrary file uploads due to insufficient file type validation and a lack of capability checks in the submit_form function. Attackers can exploit this weakness in all versions up to and including 6.3.313, allowing unauthenticated users to upload potentially executable files. The exploitation process is alarmingly simple, requiring only two unauthenticated HTTP requests, making it imperative for website administrators to take immediate action to secure their systems against possible remote code execution attacks. Proper patching and security measures are crucial to mitigating this vulnerability.
Affected Version(s)
Super Forms β Drag & Drop Form Builder 0 <= 6.3.313