External risk intelligence

Super Forms Arbitrary File Upload Leading to Remote Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-14894

The vulnerability resides in a WordPress plugin used for form building. WordPress sites are public-facing web applications by design, and this specific plugin functionality is intended to be accessible to site visitors for form submission, making the vulnerable endpoint directly reachable from the public internet.

Unrestricted File Upload

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in the Super Forms plugin for WordPress, a popular tool for website form creation. The issue allows unauthenticated attackers to upload and execute malicious files, potentially leading to full system compromise. The primary concern is confirming if this plugin is in use and if it is exposed to external access.

  • Allows attackers to upload harmful files.
  • Critical risk to WordPress site integrity.
  • Confirm use and external exposure immediately.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by first obtaining a session nonce and cookie from a separate public endpoint. They can then use these credentials in a second request to upload a malicious file through the vulnerable form builder feature. This could allow the attacker to execute arbitrary code on the server.

  • No authentication required.
  • Uploading a malicious file.
  • Remote code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in the Super Forms plugin could allow unauthenticated attackers to upload executable files to a WordPress site. Exploitation is possible through two unauthenticated HTTP requests, bypassing security measures by first obtaining a session nonce. This could lead to the execution of arbitrary code on the affected server.

  • Arbitrary executable files.
  • Via specially crafted HTTP requests.
  • Remote code execution on server.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and security teams should prioritize identifying all instances of the Super Forms plugin on their WordPress sites, confirming their reachability from the internet, and assessing business criticality to mitigate the risk of unauthenticated remote code execution. Once identified and prioritized, coordinate with infrastructure and potentially vendor-management teams to plan and implement a remediation strategy, which may include applying patches or implementing compensating controls if direct patching is not immediately feasible.

  • WordPress application owners and security teams.
  • Verify plugin presence and internet reachability.
  • Plan and execute remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Super Forms plugin for WordPress?

Super Forms is a drag-and-drop tool used to create interactive forms on WordPress websites, such as contact forms, surveys, or registration pages. It enables site owners to collect data from visitors by embedding these forms directly into their web pages.

How does CVE-2026-14894 allow unauthorized file uploads?

This vulnerability, classified as Unrestricted Upload of File with Dangerous Type (CWE-434), occurs because the plugin fails to check if a user is authorized or what kind of file is being uploaded. An attacker can send a request to the form submission handler to upload malicious scripts instead of expected form data.

Do I need to be logged into WordPress to trigger this bug?

No. The flaw exists in an endpoint designed to handle requests from the public. Because the plugin does not verify user identity and allows visitors to easily generate the necessary session tokens themselves, an attacker does not need any legitimate account or administrative privileges to successfully upload a file.

Is my site at risk from CVE-2026-14894?

If you use Super Forms, your site is at risk. Halo Surface Signal identifies this as a highly relevant threat because WordPress sites are designed to be public-facing, meaning the vulnerable form submission component is directly reachable and exploitable by anyone on the internet.

How do I secure my site against this vulnerability?

First, audit your WordPress environment to determine if Super Forms is installed. If you find the plugin, prioritize checking for and applying official updates from the developer. If an update is not immediately available, consider disabling the plugin or restricting access to the site's form submission features until you can implement a fix.

References