Home/ Blog/ Security news/ Article
Blog · Security news

Super Forms flaw lets anyone take over a WordPress site, and a working exploit is now public

A critical flaw (CVSS 9.8) in the Super Forms WordPress plugin lets unauthenticated attackers run code on the server. A public exploit exists; update to

Super Forms WordPress plugin file upload vulnerability shown as a malicious file bypassing validation

A critical vulnerability in Super Forms, a commercial drag-and-drop form builder for WordPress, lets an unauthenticated visitor upload a file and run their own code on the server. The flaw, tracked as CVE-2026-14894, carries a CVSS score of 9.8 out of 10. A working exploit was published on GitHub on July 11, 2026, so any site still on a vulnerable version should be treated as an active target.

The plugin's author shipped a fix in version 6.3.314 on July 7, 2026. Every release up to and including 6.3.313 is affected.

What the flaw does

Super Forms accepts form submissions through a public endpoint that any visitor can reach without logging in. According to the advisory from Wordfence, which assigned the identifier, the submission handler wrote uploaded files to disk without checking the file type or the caller's permissions. That gap lets an attacker send a PHP script in place of an image or a document, drop it into a web-accessible folder, and then load it in a browser to run commands on the host. Researchers put this in the class of upload flaws that end with an attacker running code on the host. Andrea Bocchetti is credited with the discovery.

Why a security token did not stop it

WordPress plugins often guard sensitive actions with a nonce, a one-time token meant to prove a request is legitimate. Here that protection was hollow. As IONIX notes in its analysis, Super Forms exposed a second public action that hands an unauthenticated caller a valid nonce on request. An attacker fetches a token with one request, then uses it to upload the malicious file with a second. Two unauthenticated requests are enough.

A public exploit is already circulating

A proof-of-concept exploit appeared on GitHub the day after public disclosure. It automates the two-step attack and, by its own description, includes a mass-scanning mode that hunts for vulnerable sites at scale. Suriq is not linking to the exploit or reproducing any of its code. The point for defenders is simple: the barrier to exploitation is now near zero, and opportunistic scanning for exposed Super Forms installs should be expected.

IONIX reports that it is already tracking exploitation attempts against the flaw. As of July 11, 2026, CVE-2026-14894 is not listed in the US Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog.

Am I affected?

You are exposed if you run a WordPress site with the Super Forms plugin at version 6.3.313 or earlier. The plugin is a paid product sold through the CodeCanyon marketplace, so it does not appear in the free WordPress plugin directory. Check the plugin list inside your WordPress admin to confirm whether it is installed and which version you are on.

Patch now, then hunt for a web shell

Update Super Forms to version 6.3.314 or later immediately. The vendor's fix adds server-side file-type verification, including magic-byte checks, filename sanitization, and path containment. If you cannot patch right away, disable the plugin or block access to its submission endpoint at your web application firewall.

Patching closes the door, but it does not undo a break-in that already happened. Because a working exploit is public, assume nothing and check:

  • Look through upload and other web-writable directories for PHP files you did not create. An unexpected script in an uploads folder is a strong sign of a web shell.
  • Review web server access logs for POST requests to admin-ajax.php that call the plugin's form-submission or nonce-generation actions, especially from unfamiliar addresses.
  • Watch for new files appearing in the web root after the fact. On the servers you run, file integrity monitoring flags a freshly written .php file in a content directory the moment it lands, which is exactly the artifact this attack leaves behind.

If you find a planted file, treat the host as compromised: rotate credentials, review for follow-on changes, and restore from a known-good backup rather than simply deleting the script.

Topics

Frequently asked questions

What is CVE-2026-14894?

It is a critical unauthenticated arbitrary file upload flaw in the Super Forms WordPress plugin, rated CVSS 9.8. Because the plugin saved uploaded files without checking their type or the caller's permissions, a remote attacker with no login can upload a PHP script and run code on the server.

Which Super Forms versions are affected and how do I fix it?

All versions up to and including 6.3.313 are affected. Update to 6.3.314, released July 7, 2026, which adds server-side file-type verification, filename sanitization, and path containment. If you cannot patch at once, disable the plugin or block its submission endpoint at a web application firewall.

Is CVE-2026-14894 being exploited?

A public proof-of-concept exploit is circulating, and the security vendor IONIX reports it is tracking exploitation attempts against the flaw. As of July 11, 2026 it is not listed in CISA's Known Exploited Vulnerabilities catalog. Given the public exploit and CVSS 9.8 rating, treat it as urgent.

How do I tell if my site was already compromised?

Check upload and other web-writable directories for PHP files you did not create; an unexpected script there is a strong sign of a web shell. Also review web server access logs for POST requests to admin-ajax.php that call the plugin's form-submission or nonce-generation actions from unfamiliar addresses.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.