miwordpress.

Run WordPress faster, safer, and smarter.

News

Critical Vulnerability Discovered in Super Forms Plugin

CVE-2026-14894: unauthenticated RCE via unrestricted file upload in Super Forms ≤ 6.3.313. No patched release is published at the time of writing.

Critical Vulnerability Discovered in Super Forms Plugin

Attack chain

The form-submission endpoint in Super Forms accepts file attachments from anonymous visitors. The handler validates neither MIME type nor extension, and performs no capability check. The only barrier is a session-bound security token — and that token is issued through a separate endpoint that is itself open to unauthenticated requests. Two HTTP calls are sufficient for full site takeover:

1. GET /wp-admin/admin-ajax.php?action=super_get_token — retrieve session cookie and token.

2. POST /wp-admin/admin-ajax.php?action=super_submit_form — submit the form with an attached PHP payload using the same cookie.

The payload lands inside wp-content/uploads/ and is directly executable. NVD classifies the flaw as CWE-434 with CVSS 9.8.

Affected versions and status

  • Plugin: Super Forms – Drag & Drop Form Builder
  • Vulnerable: all releases ≤ 6.3.313
  • Fixed: none at time of writing

Diagnostic steps

1. Confirm whether the plugin is installed:

wp plugin list --allow-root | grep super-forms

2. Scan the uploads directory for unfamiliar .php files, ordered by modification time:

find /var/www/*/wp-content/uploads -type f -name "*.php" -printf "%TY-%Tm-%Td %TH:%TM %p\n" | sort

3. Hunt for typical web-shell signatures inside uploads:

grep -rE "eval\(|base64_decode\(|system\(|passthru\(" /var/www/*/wp-content/uploads/

4. Inspect web server access logs for the two-step token-then-upload pattern against admin-ajax.php:

grep "action=super_get_token" /var/log/nginx/access.log
grep "action=super_submit_form" /var/log/nginx/access.log

5. If indicators appear, rotate every admin password and invalidate active sessions by deleting rows from wp_sessions (or the equivalent session table used by your auth plugin), then force a re-login.

Concurrent plugin flaws from the 10 July 2026 disclosure window

  • GEO my WP ≤ 4.5.4 — CVE-2026-15300, CVSS 9.1. Blind SQL injection through distance, lat, lng parameters, read from $_SERVER['QUERY_STRING'] via parse_str (which bypasses wp_magic_quotes). esc_sql only escapes string delimiters; numeric positions let payloads like 1 OR SLEEP(3) survive. Patched in 4.5.5 with an upstream is_numeric guard and (float) casts.
  • miniOrange Social Login and Register ≤ 7.7.0 — CVE-2026-12761, CVSS 9.8. Unauthenticated one-time-password bypass on the profile-completion step, allowing login as any existing user, including administrators. Fixed in 7.8.0.
  • Ultimate Member ≤ 2.10.1 — CVSS 7.5, CWE-89. Blind SQL injection in the member-directory search. Partial fix in 2.9.2 left the path exploitable through 2.10.1; no fully patched build is listed in the source text.

Active exploitation context

A separate report from 12 July 2026 describes a global CMS attack wave in which web shells are being distributed through known WordPress, Joomla, and Craft CMS vulnerabilities. That increases the urgency for sites still running Super Forms.

Baseline checklist

  • Super Forms deactivated and removed on every site where it is installed
  • wp-content/uploads/ scanned for rogue .php files and web-shell patterns
  • Admin credentials rotated; sessions invalidated
  • GEO my WP updated to ≥ 4.5.5
  • miniOrange Social Login updated to ≥ 7.8.0
  • Ultimate Member updated once a fully patched build is published
  • WAF rule added for anomalous POST bodies targeting admin-ajax.php form endpoints
  • Access logs reviewed for the two-step token-then-upload pattern