{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/super-forms--drag--drop-form-builder--6.3.313/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-14894"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Super Forms – Drag \u0026 Drop Form Builder \u003c= 6.3.313"],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","arbitrary-file-upload","rce","web-exploit"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eA critical arbitrary file upload vulnerability, identified as CVE-2026-14894, affects the Super Forms - Drag \u0026amp; Drop Form Builder plugin for WordPress, impacting all versions up to and including 6.3.313. This flaw stems from a critical absence of file type validation and capability checks within the \u003ccode\u003esubmit_form\u003c/code\u003e nopriv AJAX handler. This means that unauthenticated attackers can upload executable files, paving the way for remote code execution (RCE) on the compromised WordPress instance. The primary hurdle for exploitation, a session nonce, is easily circumvented. Attackers can obtain a valid \u003ccode\u003esf_nonce\u003c/code\u003e and session cookie through a separate, also unauthenticated, \u003ccode\u003esuper_create_nonce\u003c/code\u003e AJAX action with a single prior request. This reduces the exploitation path to a simple two-step process, enabling an unauthenticated attacker to achieve full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (Nonce Generation)\u003c/strong\u003e: An unauthenticated attacker sends an HTTP POST request to the WordPress \u003ccode\u003eadmin-ajax.php\u003c/code\u003e endpoint with the \u003ccode\u003eaction=super_create_nonce\u003c/code\u003e parameter to obtain a valid session nonce and corresponding session cookie.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePreparation (Malicious File Crafting)\u003c/strong\u003e: The attacker crafts a malicious file, typically a web shell (e.g., \u003ccode\u003eshell.php\u003c/code\u003e or \u003ccode\u003ecmd.php\u003c/code\u003e), designed to execute arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (Arbitrary File Upload)\u003c/strong\u003e: The attacker sends a second unauthenticated HTTP POST request to \u003ccode\u003eadmin-ajax.php\u003c/code\u003e, targeting the \u003ccode\u003eaction=submit_form\u003c/code\u003e parameter, embedding the previously obtained nonce and the crafted malicious file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence/Defense Evasion (File Placement)\u003c/strong\u003e: Due to the Super Forms plugin's missing file type validation and absence of capability checks, the server uploads and saves the malicious executable file to a publicly accessible directory (e.g., \u003ccode\u003e/wp-content/uploads/superforms/\u003c/code\u003e) on the WordPress instance.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution (Web Shell Access)\u003c/strong\u003e: The attacker sends an HTTP GET request directly to the URL of the newly uploaded web shell (e.g., \u003ccode\u003e/wp-content/uploads/superforms/shell.php\u003c/code\u003e) to trigger its execution.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact (Remote Code Execution)\u003c/strong\u003e: The web shell executes arbitrary commands supplied by the attacker, leading to remote code execution on the underlying server and full compromise of the WordPress environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-14894 allows unauthenticated attackers to achieve remote code execution on affected WordPress websites. This can lead to complete server compromise, including data theft, website defacement, injection of malicious code into the website, or the use of the compromised server as a platform for further attacks. Given the plugin's popularity, a significant number of WordPress sites are potentially vulnerable, facing risks of complete loss of data integrity, confidentiality, and availability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-14894 immediately\u003c/strong\u003e: Update the Super Forms - Drag \u0026amp; Drop Form Builder plugin to a version greater than 6.3.313 to remediate CVE-2026-14894.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rule\u003c/strong\u003e in this brief to your SIEM to detect attempts to access uploaded web shells resulting from CVE-2026-14894 exploitation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor web server logs\u003c/strong\u003e for unusual GET requests to WordPress upload directories with executable file extensions as described in the detection rule.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement web application firewall (WAF) rules\u003c/strong\u003e to block requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e that attempt to upload files with suspicious extensions or contain common web shell patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T04:19:23Z","date_published":"2026-07-10T04:19:23Z","id":"https://feed.craftedsignal.io/briefs/2026-07-super-forms-rce/","summary":"An unauthenticated arbitrary file upload vulnerability (CVE-2026-14894) exists in the Super Forms - Drag \u0026 Drop Form Builder plugin for WordPress, affecting all versions up to and including 6.3.313, allowing unauthenticated attackers to upload executable files via the `submit_form` AJAX handler, leading to remote code execution after trivial nonce bypass.","title":"WordPress Super Forms Plugin Arbitrary File Upload (CVE-2026-14894)","url":"https://feed.craftedsignal.io/briefs/2026-07-super-forms-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Super Forms – Drag \u0026 Drop Form Builder \u003c= 6.3.313","version":"https://jsonfeed.org/version/1.1"}