External risk intelligence

WordPress Simple Coherent Form Plugin Arbitrary File Deletion Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-14487

The vulnerability exists in a WordPress plugin. WordPress sites are commonly deployed as internet-facing web applications, making endpoints provided by plugins frequently reachable by unauthenticated users over the public internet.

Path Traversal

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the Simple Coherent Form WordPress plugin allows unauthenticated attackers to delete arbitrary files on the server. This could potentially lead to remote code execution if critical files are targeted. The issue stems from insufficient validation of file paths within the plugin's file deletion function.

  • Plugin allows deleting any file.
  • Critical for confirming if this plugin is used.
  • Confirm if the Simple Coherent Form plugin is deployed.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by leveraging the plugin's insufficient file path validation. The attacker can target the `scf_get_id_upload` endpoint to obtain a valid nonce, which can then be used with a forgeable secondary hash to trigger the file deletion function. This can lead to the deletion of critical server files, potentially enabling remote code execution.

  • Entry: Network access to the plugin.
  • Trigger: Forgeable nonce and hash for file deletion.
  • Risk: Arbitrary file deletion, leading to RCE.

Live Threat

Current exploitation, exposure, and threat context

Unauthenticated attackers could delete arbitrary files on a WordPress server. This could lead to a compromise of sensitive information or remote code execution when critical files are removed.

  • Arbitrary file deletion on the server.
  • Exploits flawed file path validation.
  • Could lead to remote code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in the Simple Coherent Form WordPress plugin requires immediate attention from teams managing web infrastructure and WordPress instances. The first practical step is to identify all WordPress sites using this plugin, confirm their exposure to the internet, and ascertain their business criticality. Once identified, the accountable owner should be determined to plan remediation, which may involve coordinating with vendors if direct patching is not feasible, or implementing temporary risk reduction measures.

  • WordPress administrators and webmasters own this issue.
  • Verify plugin usage and external accessibility.
  • Plan vendor coordination or removal.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Simple Coherent Form plugin?

Simple Coherent Form is an add-on for WordPress websites designed to streamline data collection and file uploads. It functions as a component within the WordPress ecosystem, allowing administrators to create custom forms. Because it handles file processing, it interacts directly with the server's file system to manage uploads, which is the specific functionality involved in this vulnerability.

What does CWE-22 mean for CVE-2026-14487?

CWE-22 refers to Improper Limitation of a Pathname to a Restricted Directory, often called path traversal. In this CVE, the plugin fails to properly verify file paths before deletion. This weakness allows an attacker to move outside intended directories and target any file on the server. Because the plugin does not correctly restrict where files can be deleted, it gives unauthorized users the ability to remove critical system components.

How does an attacker trigger this file deletion?

An attacker initiates the process by interacting with the plugin's public endpoints. The plugin provides a nonce and uses a predictable, hardcoded secret to verify actions, allowing an attacker to craft a request that mimics a legitimate user. It is important to note that this does not require a password or administrative session; any visitor can obtain the necessary tokens to trigger the deletion function.

Why is this plugin's accessibility a concern?

Halo Surface Signal notes that WordPress plugins are typically deployed on internet-facing web applications. Since this plugin is accessible via network requests, anyone on the public internet can reach the affected endpoints. This means the server is reachable by automated scanning or remote actors, significantly increasing the likelihood that the vulnerability can be targeted without needing local or internal network access.

How should I respond if I use this plugin?

First, verify if your WordPress instances have the Simple Coherent Form plugin installed. If identified, assess whether the site is exposed to the internet. Since this flaw allows for high-impact actions like deleting core configuration files, you should prioritize determining if the site can be taken offline or the plugin disabled until you can coordinate with the vendor for a security update or identify a safe alternative.

References