PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-14894 WebRehab CVE debrief

The Super Forms – Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload. This vulnerability exists in all versions up to, and including, 6.3.313 due to missing file type validation and the absence of any capability check on the submit_form nopriv AJAX handler. The only barrier to exploitation is a session nonce that can be freely obtained by unauthenticated visitors via a separate nopriv endpoint. Furthermore, the nonce requirement can be trivially bypassed because the super_create_nonce nopriv AJAX action allows any unauthenticated visitor to mint a valid sf_nonce and session cookie in a single prior request. This reduces exploitation to two unauthenticated HTTP requests, making remote code execution possible.

Vendor
WebRehab
Product
Super Forms – Drag & Drop Form Builder
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Administrators and users of the Super Forms – Drag & Drop Form Builder plugin for WordPress should be aware of this vulnerability and take immediate action to protect their installations. This vulnerability is particularly concerning because it allows unauthenticated attackers to potentially execute remote code, which could lead to complete control of the affected system.

Technical summary

The vulnerability in the Super Forms – Drag & Drop Form Builder plugin for WordPress is caused by a lack of file type validation and insufficient capability checks in the submit_form nopriv AJAX handler. This allows unauthenticated attackers to upload files, potentially including executable files, leading to a remote code execution vulnerability. The exploit can be carried out in two steps: first, by obtaining a valid nonce through the super_create_nonce AJAX action, and second, by using this nonce to upload a malicious file through the submit_form AJAX action.

Defensive priority

High

Recommended defensive actions

  • Immediately update the Super Forms – Drag & Drop Form Builder plugin to a version that fixes this vulnerability, if available.
  • If an update is not available, consider temporarily disabling the plugin until a fix is released.
  • Review and restrict access to the submit_form and super_create_nonce AJAX handlers, if possible.
  • Enhance monitoring for suspicious activity related to file uploads and remote code execution attempts.
  • Consider implementing additional security measures such as Web Application Firewalls (WAFs) to detect and prevent exploitation attempts.

Evidence notes

The CVE record was published on 2026-07-10T04:17:47.587Z and was last modified on 2026-07-10T15:43:30.330Z. The NVD entry is currently Deferred. The vulnerability was reported by [email protected]. Limited details are available about the specific exploits or attacks related to this vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T04:17:47.587Z and has not been modified since then. The NVD entry is currently Deferred.