A critical vulnerability in Super Forms, a commercial drag-and-drop form builder for WordPress, lets an unauthenticated visitor upload a file and run their own code on the server. The flaw, tracked as CVE-2026-14894, carries a CVSS score of 9.8 out of 10. A working exploit was published on GitHub on July 11, 2026, so any site still on a vulnerable version should be treated as an active target.
The plugin's author shipped a fix in version 6.3.314 on July 7, 2026. Every release up to and including 6.3.313 is affected.
What the flaw does
Super Forms accepts form submissions through a public endpoint that any visitor can reach without logging in. According to the advisory from Wordfence, which assigned the identifier, the submission handler wrote uploaded files to disk without checking the file type or the caller's permissions. That gap lets an attacker send a PHP script in place of an image or a document, drop it into a web-accessible folder, and then load it in a browser to run commands on the host. Researchers put this in the class of upload flaws that end with an attacker running code on the host. Andrea Bocchetti is credited with the discovery.
Why a security token did not stop it
WordPress plugins often guard sensitive actions with a nonce, a one-time token meant to prove a request is legitimate. Here that protection was hollow. As IONIX notes in its analysis, Super Forms exposed a second public action that hands an unauthenticated caller a valid nonce on request. An attacker fetches a token with one request, then uses it to upload the malicious file with a second. Two unauthenticated requests are enough.
A public exploit is already circulating
A proof-of-concept exploit appeared on GitHub the day after public disclosure. It automates the two-step attack and, by its own description, includes a mass-scanning mode that hunts for vulnerable sites at scale. Suriq is not linking to the exploit or reproducing any of its code. The point for defenders is simple: the barrier to exploitation is now near zero, and opportunistic scanning for exposed Super Forms installs should be expected.
IONIX reports that it is already tracking exploitation attempts against the flaw. As of July 11, 2026, CVE-2026-14894 is not listed in the US Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog.
Am I affected?
You are exposed if you run a WordPress site with the Super Forms plugin at version 6.3.313 or earlier. The plugin is a paid product sold through the CodeCanyon marketplace, so it does not appear in the free WordPress plugin directory. Check the plugin list inside your WordPress admin to confirm whether it is installed and which version you are on.
Patch now, then hunt for a web shell
Update Super Forms to version 6.3.314 or later immediately. The vendor's fix adds server-side file-type verification, including magic-byte checks, filename sanitization, and path containment. If you cannot patch right away, disable the plugin or block access to its submission endpoint at your web application firewall.
Patching closes the door, but it does not undo a break-in that already happened. Because a working exploit is public, assume nothing and check:
- Look through upload and other web-writable directories for PHP files you did not create. An unexpected script in an uploads folder is a strong sign of a web shell.
- Review web server access logs for POST requests to admin-ajax.php that call the plugin's form-submission or nonce-generation actions, especially from unfamiliar addresses.
- Watch for new files appearing in the web root after the fact. On the servers you run, file integrity monitoring flags a freshly written .php file in a content directory the moment it lands, which is exactly the artifact this attack leaves behind.
If you find a planted file, treat the host as compromised: rotate credentials, review for follow-on changes, and restore from a known-good backup rather than simply deleting the script.