WordPress Super Forms Plugin Arbitrary File Upload (CVE-2026-14894)
An unauthenticated arbitrary file upload vulnerability (CVE-2026-14894) exists in the Super Forms - Drag & Drop Form Builder plugin for WordPress, affecting all versions up to and including 6.3.313, allowing unauthenticated attackers to upload executable files via the `submit_form` AJAX handler, leading to remote code execution after trivial nonce bypass.
A critical arbitrary file upload vulnerability, identified as CVE-2026-14894, affects the Super Forms - Drag & Drop Form Builder plugin for WordPress, impacting all versions up to and including 6.3.313. This flaw stems from a critical absence of file type validation and capability checks within the submit_form nopriv AJAX handler. This means that unauthenticated attackers can upload executable files, paving the way for remote code execution (RCE) on the compromised WordPress instance. The primary hurdle for exploitation, a session nonce, is easily circumvented. Attackers can obtain a valid sf_nonce and session cookie through a separate, also unauthenticated, super_create_nonce AJAX action with a single prior request. This reduces the exploitation path to a simple two-step process, enabling an unauthenticated attacker to achieve full system compromise.
Attack Chain
- Initial Access (Nonce Generation): An unauthenticated attacker sends an HTTP POST request to the WordPress
admin-ajax.phpendpoint with theaction=super_create_nonceparameter to obtain a valid session nonce and corresponding session cookie. - Preparation (Malicious File Crafting): The attacker crafts a malicious file, typically a web shell (e.g.,
shell.phporcmd.php), designed to execute arbitrary commands on the server. - Initial Access (Arbitrary File Upload): The attacker sends a second unauthenticated HTTP POST request to
admin-ajax.php, targeting theaction=submit_formparameter, embedding the previously obtained nonce and the crafted malicious file. - Persistence/Defense Evasion (File Placement): Due to the Super Forms plugin's missing file type validation and absence of capability checks, the server uploads and saves the malicious executable file to a publicly accessible directory (e.g.,
/wp-content/uploads/superforms/) on the WordPress instance. - Execution (Web Shell Access): The attacker sends an HTTP GET request directly to the URL of the newly uploaded web shell (e.g.,
/wp-content/uploads/superforms/shell.php) to trigger its execution. - Impact (Remote Code Execution): The web shell executes arbitrary commands supplied by the attacker, leading to remote code execution on the underlying server and full compromise of the WordPress environment.
Impact
The successful exploitation of CVE-2026-14894 allows unauthenticated attackers to achieve remote code execution on affected WordPress websites. This can lead to complete server compromise, including data theft, website defacement, injection of malicious code into the website, or the use of the compromised server as a platform for further attacks. Given the plugin's popularity, a significant number of WordPress sites are potentially vulnerable, facing risks of complete loss of data integrity, confidentiality, and availability.
Recommendation
- Patch CVE-2026-14894 immediately: Update the Super Forms - Drag & Drop Form Builder plugin to a version greater than 6.3.313 to remediate CVE-2026-14894.
- Deploy the Sigma rule in this brief to your SIEM to detect attempts to access uploaded web shells resulting from CVE-2026-14894 exploitation.
- Monitor web server logs for unusual GET requests to WordPress upload directories with executable file extensions as described in the detection rule.
- Implement web application firewall (WAF) rules to block requests to
/wp-admin/admin-ajax.phpthat attempt to upload files with suspicious extensions or contain common web shell patterns.
Detection coverage 1
Detects CVE-2026-14894 Exploitation - Web Shell Access via Super Forms Upload
highDetects CVE-2026-14894 exploitation attempts by monitoring web server logs for GET requests to common WordPress upload directories that include executable file extensions, indicative of a successfully uploaded web shell.
Detection queries are available on the platform. Get full rules →