Vendor
critical
advisory
WordPress Super Forms Plugin Arbitrary File Upload (CVE-2026-14894)
1 rule 2 TTPs 1 CVE 1 IOCAn unauthenticated arbitrary file upload vulnerability (CVE-2026-14894) exists in the Super Forms - Drag & Drop Form Builder plugin for WordPress, affecting all versions up to and including 6.3.313, allowing unauthenticated attackers to upload executable files via the `submit_form` AJAX handler, leading to remote code execution after trivial nonce bypass.
PoC
Super Forms – Drag & Drop Form Builder <= 6.3.313 +1
wordpress
plugin
arbitrary-file-upload
rce
web-exploit
1r
2t
1c
1i
updated