CVE-2026-14894

WebRehab · Super Forms – Drag & Drop Form Builder

The Super Forms plugin for WordPress suffers from an unauthenticated arbitrary file upload vulnerability via the `submit_form` AJAX handler, enabling potential remote code execution.

Executive summary

A critical arbitrary file upload vulnerability in the WebRehab Super Forms plugin enables unauthenticated attackers to execute arbitrary code on the underlying WordPress server.

Vulnerability

The submit_form function lacks both file type validation and capability checks. Furthermore, the nonce requirement is easily bypassed by unauthenticated visitors using a separate nopriv AJAX endpoint to mint valid session cookies, reducing the attack to two simple HTTP requests.

Business impact

This vulnerability provides an unauthenticated attacker with a direct path to server-level compromise. By uploading executable files, an attacker can gain persistent access, manipulate site databases, or use the server as a pivot point for lateral movement within the network. The CVSS score of 9.8 reflects the high probability of successful exploitation and the total impact on the application's security posture.

Remediation

Immediate Action: Update the Super Forms – Drag & Drop Form Builder plugin to the latest version immediately to enforce proper nonce validation and file type restrictions.

Proactive Monitoring: Review web server logs for suspicious requests to nopriv AJAX endpoints and unexpected file uploads in the plugin’s directory or the WordPress media library.

Compensating Controls: Implement WAF rules to intercept and block file upload attempts that do not originate from authenticated user sessions or that contain suspicious file extensions.

Exploitation status

Public Exploit Available: No

Analyst recommendation

This vulnerability is highly dangerous due to the trivial nature of the exploit chain. Organizations using this plugin must verify their current version and apply the vendor-provided security update without delay to mitigate the risk of full system compromise.