PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-14487 tombgtn CVE debrief

The Simple Coherent Form plugin for WordPress has a critical vulnerability, CVE-2026-14487, allowing unauthenticated attackers to delete arbitrary files, potentially leading to remote code execution. This vulnerability exists due to insufficient file path validation in the removeUploadDir function in all versions up to, and including, 2.4.13. Users of the Simple Coherent Form plugin for WordPress should be aware of this critical vulnerability and take immediate action to protect their installations. The vulnerability can be exploited by deleting arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted.

Vendor
tombgtn
Product
Simple Coherent Form
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-08
Advisory published
2026-07-08
Advisory updated
2026-07-08

Who should care

Users of the Simple Coherent Form plugin for WordPress should be aware of this critical vulnerability and take immediate action to protect their installations. This includes updating the plugin to a version that fixes the vulnerability, implementing additional security measures to monitor and restrict file deletions, and regularly reviewing and updating plugins and themes to prevent similar vulnerabilities.

Technical summary

The Simple Coherent Form plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the removeUploadDir function in all versions up to, and including, 2.4.13. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted. The scf_get_id_upload endpoint freely issues a valid scf_upload_file_removal nonce to any unauthenticated visitor, and the removal endpoint's secondary hash check is forgeable offline because it relies on a hardcoded salt embedded in the plugin source.

Defensive priority

High

Recommended defensive actions

  • Update the Simple Coherent Form plugin to a version that fixes the vulnerability
  • Implement additional security measures to monitor and restrict file deletions
  • Regularly review and update plugins and themes to prevent similar vulnerabilities
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The vulnerability was reported by [email protected] and is tracked in the CVE record. The Simple Coherent Form plugin for WordPress has a critical vulnerability, CVE-2026-14487, allowing unauthenticated attackers to delete arbitrary files, potentially leading to remote code execution. The scf_get_id_upload endpoint freely issues a valid scf_upload_file_removal nonce to any unauthenticated visitor, and the removal endpoint's secondary hash check is forgeable offline because it relies on a hardcoded salt embedded in the plugin source, meaning neither control presents a real authorization boundary. Evidence limits suggest verifying affected scope and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T05:16:26.980Z and has not been modified since then.