PT-2026-57051 · Webrehab · The Super Forms - Drag & Drop Form Builder

Andrea Bocchetti

·

Publicado

2026-07-10

·

Atualizado

2026-07-10

·

CVE-2026-14894

CVSS v3.1

9.8

Crítica

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The Super Forms – Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 6.3.313 via the submit form function. This is due to missing file type validation and the absence of any capability check on the submit form nopriv AJAX handler, whose only barrier is a session nonce freely obtainable by unauthenticated visitors via a separate nopriv endpoint. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible. The nonce requirement is trivially bypassed because the super create nonce nopriv AJAX action allows any unauthenticated visitor to mint a valid sf nonce and session cookie in a single prior request, reducing exploitation to two unauthenticated HTTP requests.

Correção

Unrestricted File Upload

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-14894

Produtos afetados

The Super Forms - Drag & Drop Form Builder