The Super Forms – Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 6.3.313 via the submit_form function. This is due to missing file type validation and the absence of any capability check on the submit_form nopriv AJAX handler, whose only barrier is a session nonce freely obtainable by unauthenticated visitors via a separate nopriv endpoint. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible. The nonce requirement is trivially bypassed because the super_create_nonce nopriv AJAX action allows any unauthenticated visitor to mint a valid sf_nonce and session cookie in a single prior request, reducing exploitation to two unauthenticated HTTP requests.
Metrics
Affected Vendors & Products
References
History
Fri, 10 Jul 2026 10:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Webrehab
Webrehab super Forms – Drag & Drop Form Builder Wordpress Wordpress wordpress |
|
| Vendors & Products |
Webrehab
Webrehab super Forms – Drag & Drop Form Builder Wordpress Wordpress wordpress |
Fri, 10 Jul 2026 04:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Super Forms – Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 6.3.313 via the submit_form function. This is due to missing file type validation and the absence of any capability check on the submit_form nopriv AJAX handler, whose only barrier is a session nonce freely obtainable by unauthenticated visitors via a separate nopriv endpoint. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible. The nonce requirement is trivially bypassed because the super_create_nonce nopriv AJAX action allows any unauthenticated visitor to mint a valid sf_nonce and session cookie in a single prior request, reducing exploitation to two unauthenticated HTTP requests. | |
| Title | Super Forms <= 6.3.313 - Unauthenticated Arbitrary File Upload via 'data' Parameter (datauristring / value) | |
| Weaknesses | CWE-434 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published: 2026-07-10T02:30:40.490Z
Updated: 2026-07-10T02:30:40.490Z
Reserved: 2026-07-06T18:28:42.679Z
Link: CVE-2026-14894
No data.
No data.
No data.