Arbitrary File Upload Vulnerability in Super Forms for WordPress
CVE-2026-14894

9.8CRITICAL

What is CVE-2026-14894?

The Super Forms – Drag & Drop Form Builder plugin for WordPress contains a vulnerability allowing arbitrary file uploads due to insufficient file type validation and a lack of capability checks in the submit_form function. Attackers can exploit this weakness in all versions up to and including 6.3.313, allowing unauthenticated users to upload potentially executable files. The exploitation process is alarmingly simple, requiring only two unauthenticated HTTP requests, making it imperative for website administrators to take immediate action to secure their systems against possible remote code execution attacks. Proper patching and security measures are crucial to mitigating this vulnerability.

Affected Version(s)

Super Forms – Drag & Drop Form Builder 0 <= 6.3.313

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

andrea bocchetti
.