CRITICAL
WebRehab
CVE published 2026-07-10
CVE-2026-14894
The Super Forms – Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload. This vulnerability exists in all versions up to, and including, 6.3.313 due to missing file type validation and the absence of any capability check on the submit_form nopriv AJAX handler. The only barrier to exploitation is a session nonce that can be freely obtained by unauthenticated visitors via a se [truncated]