Critical Vulnerability Discovered in Super Forms Plugin
CVE-2026-14894: unauthenticated RCE via unrestricted file upload in Super Forms ≤ 6.3.313. No patched release is published at the time of writing.

Attack chain
The form-submission endpoint in Super Forms accepts file attachments from anonymous visitors. The handler validates neither MIME type nor extension, and performs no capability check. The only barrier is a session-bound security token — and that token is issued through a separate endpoint that is itself open to unauthenticated requests. Two HTTP calls are sufficient for full site takeover:
1. GET /wp-admin/admin-ajax.php?action=super_get_token — retrieve session cookie and token.
2. POST /wp-admin/admin-ajax.php?action=super_submit_form — submit the form with an attached PHP payload using the same cookie.
The payload lands inside wp-content/uploads/ and is directly executable. NVD classifies the flaw as CWE-434 with CVSS 9.8.
Affected versions and status
- Plugin: Super Forms – Drag & Drop Form Builder
- Vulnerable: all releases ≤ 6.3.313
- Fixed: none at time of writing
Diagnostic steps
1. Confirm whether the plugin is installed:
wp plugin list --allow-root | grep super-forms2. Scan the uploads directory for unfamiliar .php files, ordered by modification time:
find /var/www/*/wp-content/uploads -type f -name "*.php" -printf "%TY-%Tm-%Td %TH:%TM %p\n" | sort3. Hunt for typical web-shell signatures inside uploads:
grep -rE "eval\(|base64_decode\(|system\(|passthru\(" /var/www/*/wp-content/uploads/4. Inspect web server access logs for the two-step token-then-upload pattern against admin-ajax.php:
grep "action=super_get_token" /var/log/nginx/access.log
grep "action=super_submit_form" /var/log/nginx/access.log5. If indicators appear, rotate every admin password and invalidate active sessions by deleting rows from wp_sessions (or the equivalent session table used by your auth plugin), then force a re-login.
Concurrent plugin flaws from the 10 July 2026 disclosure window
- GEO my WP ≤ 4.5.4 — CVE-2026-15300, CVSS 9.1. Blind SQL injection through
distance,lat,lngparameters, read from$_SERVER['QUERY_STRING']viaparse_str(which bypasseswp_magic_quotes).esc_sqlonly escapes string delimiters; numeric positions let payloads like1 OR SLEEP(3)survive. Patched in 4.5.5 with an upstreamis_numericguard and(float)casts. - miniOrange Social Login and Register ≤ 7.7.0 — CVE-2026-12761, CVSS 9.8. Unauthenticated one-time-password bypass on the profile-completion step, allowing login as any existing user, including administrators. Fixed in 7.8.0.
- Ultimate Member ≤ 2.10.1 — CVSS 7.5, CWE-89. Blind SQL injection in the member-directory search. Partial fix in 2.9.2 left the path exploitable through 2.10.1; no fully patched build is listed in the source text.
Active exploitation context
A separate report from 12 July 2026 describes a global CMS attack wave in which web shells are being distributed through known WordPress, Joomla, and Craft CMS vulnerabilities. That increases the urgency for sites still running Super Forms.
Baseline checklist
- Super Forms deactivated and removed on every site where it is installed
wp-content/uploads/scanned for rogue.phpfiles and web-shell patterns- Admin credentials rotated; sessions invalidated
- GEO my WP updated to ≥ 4.5.5
- miniOrange Social Login updated to ≥ 7.8.0
- Ultimate Member updated once a fully patched build is published
- WAF rule added for anomalous POST bodies targeting
admin-ajax.phpform endpoints - Access logs reviewed for the two-step token-then-upload pattern