CVE-2026-14487
Last modified
CVE-2026-14487 is a critical-severity vulnerability rated 9.1/10 on the CVSS scale. The Simple Coherent Form plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the removeUploadDir function in all versions up to, and including, 2.4.13. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). EPSS estimates a 0.74% chance of exploitation in the next 30 days.
Description
The Simple Coherent Form plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the removeUploadDir function in all versions up to, and including, 2.4.13. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The scf_get_id_upload endpoint freely issues a valid scf_upload_file_removal nonce to any unauthenticated visitor, and the removal endpoint's secondary hash check is forgeable offline because it relies on a hardcoded salt embedded in the plugin source, meaning neither control presents a real authorization boundary.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Weakness Enumeration
Affected Software
Source: CNA advisory (CVE.org). NVD analysis pending.
| Vendor | Product | Versions |
|---|---|---|
| tombgtn | Simple Coherent Form | <= 2.4.13 |
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2026-14487?
How severe is CVE-2026-14487?
How do I fix CVE-2026-14487?
Related CVEs from 2026
- CVE-2026-14471Improper Neutralization of Special Elements in the metrics-s…8.6
- CVE-2026-14474A flaw was found in SSSD's LDAP sudo provider. When the ldap…8.8
- CVE-2026-14475The Cookie Banner for GDPR / CCPA – WPLP Cookie Consent plug…4.9
- CVE-2026-14476A path traversal flaw was found in SSSD's AD GPO provider. T…8
- CVE-2026-1448A vulnerability was detected in D-Link DIR-615 up to 4.10. T…7.3
- CVE-2026-14482The 多说社会化评论框 plugin for WordPress is vulnerable to Privilege…8.8
- CVE-2026-14489The WHMCS Bridge plugin for WordPress is vulnerable to arbit…8.8
- CVE-2026-1449A flaw has been found in Hisense TransTech Smart Bus Managem…7.3
- CVE-2026-14495The DoLogin Security plugin for WordPress is vulnerable to A…8.8
- CVE-2026-1450The rognone plugin for WordPress is vulnerable to Reflected …6.1
- CVE-2026-14500The Bulk Order Update for WooCommerce plugin for WordPress i…5.3
- CVE-2026-1451The rognone plugin for WordPress is vulnerable to Reflected …6.1
Are you affected by CVE-2026-14487?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
