← volver
CVE-2026-14894

Super Forms <= 6.3.313 - Unauthenticated Arbitrary File Upload via 'data' Parameter (datauristring / value)

CVSS 9.8 CRITICALEPSS 0.5%◆ VulnCheck KEVCWE-434
Vexday Risk Score
70Prioridad alta
Decisión SSVC (CISA)
Act
Explotación + impacto → acción inmediata
Madurez del exploit
Prueba de concepto
Existe prueba de concepto pública, pero aún no automatizada.
CVSS 9.8EPSS 0.5%KEV nãoPoC públicaNuclei Metasploit Patch
Ciclo de vida
10 jul 2026Publicada en NVD
11 jul 2026PoC pública
Velocidad de armamento
1 díashasta el primer PoC
Armada rápidamente — los atacantes priorizaron esta vulnerabilidad. Corrige con urgencia.
Recomendación: Corregir cuanto antes — hay explotación activa confirmada.
The Super Forms – Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 6.3.313 via the submit_form function. This is due to missing file type validation and the absence of any capability check on the submit_form nopriv AJAX handler, whose only barrier is a session nonce freely obtainable by unauthenticated visitors via a separate nopriv endpoint. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible. The nonce requirement is trivially bypassed because the super_create_nonce nopriv AJAX action allows any unauthenticated visitor to mint a valid sf_nonce and session cookie in a single prior request, reducing exploitation to two unauthenticated HTTP requests.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
PoCs públicas encontradas1
githubgithub.com/1beelze/CVE-2026-148940
⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.