CVE-2026-14487
tombgtn · Simple Coherent Form
The Simple Coherent Form WordPress plugin contains a path traversal vulnerability allowing unauthenticated remote file deletion and potential code execution.
Executive summary
A critical path traversal vulnerability in the Simple Coherent Form WordPress plugin allows unauthenticated attackers to delete arbitrary server files.
Vulnerability
The plugin suffers from insufficient path validation in the removeUploadDir function. Furthermore, the scf_get_id_upload endpoint fails to enforce authorization, allowing unauthenticated attackers to forge the necessary removal nonce using a hardcoded salt.
Business impact
With a CVSS score of 9.1, this vulnerability allows an unauthenticated attacker to delete critical system files, including wp-config.php, which can lead to complete site takeover or remote code execution. The impact includes significant service downtime, potential data loss, and the total compromise of the WordPress environment.
Remediation
Immediate Action: Update the Simple Coherent Form plugin to the latest available version that addresses these security flaws.
Proactive Monitoring: Review web server access logs for requests directed at scf_get_id_upload and unexpected file deletion activity.
Compensating Controls: Implement a Web Application Firewall (WAF) rule to block unauthorized access to the plugin's file removal endpoints.
Exploitation status
Public Exploit Available: False
Analyst recommendation
The reliance on hardcoded salts and the lack of authentication make this vulnerability trivial to exploit. Site administrators should update the plugin immediately or disable it until a patch is applied to prevent unauthorized file manipulation.