CVE-2026-14894

Source
https://cve.org/CVERecord?id=CVE-2026-14894
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-14894.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-14894
Published
2026-07-10T02:30:40.490Z
Modified
2026-07-15T01:48:51.121631673Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Super Forms <= 6.3.313 - Unauthenticated Arbitrary File Upload via 'data' Parameter (datauristring / value)
Details

The Super Forms – Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 6.3.313 via the submitform function. This is due to missing file type validation and the absence of any capability check on the submitform nopriv AJAX handler, whose only barrier is a session nonce freely obtainable by unauthenticated visitors via a separate nopriv endpoint. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible. The nonce requirement is trivially bypassed because the supercreatenonce nopriv AJAX action allows any unauthenticated visitor to mint a valid sf_nonce and session cookie in a single prior request, reducing exploitation to two unauthenticated HTTP requests.

Database specific
{
    "cna_assigner": "Wordfence",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/14xxx/CVE-2026-14894.json",
    "cwe_ids": [
        "CWE-434"
    ]
}
References

Affected packages

Git / github.com/renstillmann/super-forms

Affected ranges

Type
GIT
Repo
https://github.com/renstillmann/super-forms
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "6.3.313"
        }
    ]
}

Affected versions

v6.*
v6.3.313

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-14894.json"