Top/Articles/WordPress Form Plugin 'Super Forms' Site-Takeover Flaw CVE-2026-14894 β€” Exploitable With No Login, Update Now
superforms-cve-cover-en

WordPress Form Plugin 'Super Forms' Site-Takeover Flaw CVE-2026-14894 β€” Exploitable With No Login, Update Now

A flaw (CVE-2026-14894, severity 9.8) in the popular premium WordPress form builder Super Forms lets anyone, with no login, upload a malicious file and run programs on the server to hijack the site. Versions 6.3.313 and earlier are affected. The vendor has released a fix, and updating to the latest version stops it. We explain the scope and what to do now.

NewsPublished July 10, 2026 Updated today
Table of contents
Key takeaways

A flaw (CVE-2026-14894, severity 9.8) in the popular premium WordPress form builder Super Forms lets anyone, with no login, upload a malicious file and run programs on the server to hijack the site. Versions 6.3.313 and earlier are affected. The vendor has released a fix, and updating to the latest version stops it. We explain the scope and what to do now.

The popular premium plugin for putting contact and application forms on WordPress sites, "Super Forms," has a serious flaw that lets a third party who has not logged in or registered upload a malicious file and hijack the site along with its server. Tracked as CVE-2026-14894, its severity is a top-tier 9.8 out of 10.

What makes it frightening is that exploitation needs no login and no click by any user. Just by hitting the form's submission endpoint, an attacker can reach a state where they can freely run programs on the server. This is called remote code execution (RCE), among the heaviest classes of vulnerability. Affected are all versions of Super Forms 6.3.313 and earlier, and the vendor has released a fix. If your site uses Super Forms, update to the latest version right now.

What is Super Forms?

Super Forms is a premium plugin that lets you place all kinds of forms β€” contact, quote requests, bookings, surveys β€” on a WordPress site simply by dragging and dropping parts. A plugin is an add-on component that extends WordPress after the fact. Thanks to advanced features like payment integration and automated email, it has been a staple form builder sold in the tens of thousands, widely used by production agencies and individual sites.

Many form plugins include a "file upload" feature so users can attach things like resumes or images. Convenient β€” but if it accepts any kind of file, it can become an entry point for uploading a program file and hijacking the server, a danger that comes with this class of feature. This month's issue was in exactly that form-submission and file-receiving process. Like the flaw in the WordPress plugin UsersWP that struck a similar hole in a membership feature, the shared trait is that "gateways that accept outside input" are the ones most targeted.

What is the danger, and how far does the damage spread?

This flaw is a defect known technically as "arbitrary file upload." A form should only accept set file types such as images or PDFs, but Super Forms' submission process was in a state where it accepted files without checking their type. As a result, an attacker can upload a program file (such as a PHP file) that can run commands on the server.

Once an uploaded program runs on the server, the attacker seizes the site's admin control and can effectively do anything β€” deface pages, exfiltrate member and inquiry data, and use the server as a springboard to attack other sites. It does not end at "one file was placed"; the site and the server behind it are seized wholesale. The 9.8 severity reflects that the server can be taken with no special privileges and no user action.

There are almost no prerequisites for exploitation. The attacker needs no login and no registration β€” just crafted traffic to a public page carrying the form. If a page with Super Forms is exposed to the internet, it can be targeted indiscriminately the moment a program automatically roaming the net finds it. The combination of low attack difficulty and large spoils is what makes this flaw especially dangerous.

Who targets this hole, and what happens?

The likely exploiters are attackers who deface sites to use as springboards for fake pages or spam, and ransomware gangs that seize servers for a payout. Because it can be launched without even logging in, they automatically hunt for vulnerable Super Forms and hit every one they find. Sites left un-updated after being outsourced are prime targets.

The attack flow is astonishingly simple. The attacker uploads a malicious program file to the form's submission endpoint without logging in or registering, and runs it on the server to seize control of the site. The technical details are below, but it takes only a few requests, and no click or action by the victim is required.

As a result, the individual or business running the site may have public pages defaced or the entire customer personal data collected via forms stolen. A hijacked site can, unbeknownst to its owner, be turned into a base for phishing or malware distribution, harming visitors too. Once control is lost, recovery costs time and money, and the site's own credibility is harmed. Takeovers exploiting WordPress plugin flaws are, in reality, reported in large numbers almost every month.

A technical look at what is happening

The problem lay in how the form-submission process was built. It has one identifier assigned to it.

CVE-2026-14894: accepting files without checking their type, and allowing execution

Super Forms has a process called submit_form that accepts form submissions. It should have checked whether an attached file was a "safe type" like an image or PDF and rejected program files that can run on the server. In reality, the mechanism to validate the file type was missing, and the endpoint that invokes this submission process (the AJAX handler) also lacked a capability check to confirm the caller is allowed to act. The U.S. National Institute of Standards and Technology (NIST) classifies this as unrestricted upload of a file of a dangerous type (CWE-434).

The technique goes like this. The attacker first obtains a valid token needed for submission (a nonce, normally a single-use anti-tampering token) from another public endpoint. After that, in just two requests they can place an executable program file on the server. Because the placed file can be called and run directly from the web, the attacker's commands then run on the server. No login is needed (no privilege requirement) and no user action β€” the heaviest profile in the CVSS breakdown. The vendor has fixed it to properly check file type and permissions, resolving it in versions after 6.3.313.

Super Forms has repeated the same class of hole

In fact, this is not the first time Super Forms has been flagged for an arbitrary file upload hole. Back in 2021, a similar RCE that let anyone upload a program file without logging in was disclosed (affecting version 4.9.700 and earlier at the time, fixed in 4.9.703). A form's attachment feature β€” an "entry point that can receive executable files from outside" β€” is a textbook case of a spot that, with weak validation, repeatedly becomes a takeover hole.

To avoid repeating the same mistake, what matters is keeping form plugins always up to date and storing uploaded files in a place "that cannot be executed directly from the web." The more convenient the feature, the more the danger spikes when the receiving side's validation and storage design are weak. Incidents where a file-receiving feature leads to takeover keep happening across products, as with the flaw in the booking plugin LatePoint.

Affected versions and the fix

The affected range is all versions of Super Forms 6.3.313 and earlier. Because the vendor has released a fix, updating to the latest version after 6.3.313 is the fundamental fix. Since Super Forms is a premium plugin sold mainly on CodeCanyon and the like, obtain the latest version from your purchase source or the plugin's admin screen and apply it.

Your situationRiskWhat to do
6.3.313 or earlier
Γ—
form is public
Most dangerous
(unauth RCE)
Update now
consider unpublishing until then
6.3.313 or earlier
Γ—
private / staging
Update neededUpdate to latest soon
After 6.3.313
(latest)
FixedThis hole is closed

If circumstances keep you from updating immediately, stopgaps such as temporarily disabling Super Forms' file-upload feature or temporarily unpublishing the page with the form can narrow the entry points. It also helps to check whether unfamiliar files have been piling up in the server's upload folder. These only buy time, though β€” fundamentally, updating to the latest version is required.

What is confirmed and what is still unknown

βœ“ Confirmed facts

  • βœ“Without authentication or user action, an arbitrary file can be uploaded via the form-submission process, leading to RCE (NVD)
  • βœ“The cause is missing file-type validation in submit_form and a missing capability check on the AJAX endpoint (CWE-434)
  • βœ“Affected is 6.3.313 and earlier, and the vendor has released a fix. Severity is 9.8 (NVD)

? Not yet confirmed

  • ?As of publication, there is no official report that this flaw has been used in real attacks
  • ?It is not, as of publication, on the U.S. CISA "Known Exploited Vulnerabilities (KEV)" catalog (the latest KEV status can be checked here)
  • ?Unauthenticated RCE is highly attractive to attackers and tends to be exploited soon after disclosure β€” caution is warranted

What you can do right now

The direction is clear. The top priority is to update Super Forms to the latest version after 6.3.313. Since it is a premium plugin, if no update notice shows in the WordPress admin, obtain the latest version from your purchase source (your CodeCanyon account or the distributor) and swap it in. Because it can be exploited without authentication, every day of delay extends the time you spend exposed.

Before and after updating, it also helps to check whether you have already been exploited. Look in the server's upload folder (under wp-content/uploads and the like) for unfamiliar PHP files, and if present, remove them and investigate the intrusion path. If worried, consider restoring from backup or consulting a security professional. Removing unused plugins and keeping only the active ones up to date is the basis of protecting WordPress.

Your roleWhat to do nowPriority
Site operatorUpdate to latest
Unpublish / disable uploads until then
Top
Site builder / contractorCheck delivered sites' versions
Inspect for suspicious files
High
Suspected compromiseRemove rogue PHP, trace intrusion
Consider restoring from backup
High

Frequently asked questions

Q. How can I check whether my site uses Super Forms?

A. Log in to the WordPress admin and open "Plugins" in the left menu; you can tell by whether "Super Forms" appears in the list of active plugins. The version number is shown too, so if it is 6.3.313 or earlier, an update is needed. If you leave your site to a production company, ask them to check the version and update it.

Q. Am I safe if my forms do not use file attachments?

A. Even forms without attachments cannot be called safe, because the hole is in the plugin's submission process itself. The reliable move is to update to the latest version. If you cannot update immediately, narrow the entry points by temporarily unpublishing the form page or disabling Super Forms.

Q. Is it already being exploited?

A. As of this article, there is no confirmed official report of this flaw being used in real attacks, and it is not on CISA's KEV catalog. That said, it is exploitable without authentication, and Super Forms has previously been hit by a similar upload hole, so it tends to be exploited soon after disclosure β€” updating early is safer.

Q. How can I tell whether I have been hijacked?

A. Check the server's upload folder (under wp-content/uploads and the like) for unfamiliar PHP files or oddly-named files. Signs also include an unfamiliar administrator account being added, page defacement, and suspicious outbound traffic. If it is hard to judge, consider restoring from backup or consulting a security professional.

In summary

This case is about how a convenient form-building plugin, by accepting files without checking their type, could let a non-logged-in third party upload a program file and hijack the site along with its server. CVE-2026-14894 is exploitable with no authentication and no user action, at a top-tier severity of 9.8. It is a staple plugin used in the tens of thousands β€” and the same class of hole has been struck before.

The saving grace is that the vendor has already released a fix. Just updating to the latest version after 6.3.313 stops it. For plugins with file-receiving features, it is best to treat "convenient but easily targeted" as a given and make frequent updates β€” and checking the upload folder β€” a habit. We will report again if new signs of exploitation emerge.

References

avatar-m-1

Makoto Horikawa

Backend Engineer / AWS / Django