CVE-2026-14487 Overview
CVE-2026-14487 is an arbitrary file deletion vulnerability in the Simple Coherent Form plugin for WordPress. The flaw affects all plugin versions up to and including 2.4.13. Insufficient file path validation in the removeUploadDir function allows unauthenticated attackers to delete arbitrary files on the underlying server. Deleting sensitive files such as wp-config.php can force WordPress into a setup state, enabling attacker-controlled reinstallation and remote code execution. The vulnerability is classified as Path Traversal [CWE-22].
Critical Impact
Unauthenticated attackers can delete arbitrary files on affected WordPress servers, leading to remote code execution when critical files like wp-config.php are removed.
Affected Products
- Simple Coherent Form plugin for WordPress
- All versions up to and including 2.4.13
- WordPress sites with the plugin installed and activated
Discovery Timeline
- 2026-07-08 - CVE-2026-14487 published to NVD
- 2026-07-08 - Last updated in NVD database
Technical Details for CVE-2026-14487
Vulnerability Analysis
The vulnerability resides in the removeUploadDir function within includes/fields/file.php of the Simple Coherent Form plugin. The function accepts a file path parameter from user-supplied input without adequately validating or canonicalizing the path. Attackers can supply traversal sequences to escape the intended upload directory and reference arbitrary files on the filesystem.
The plugin exposes two nominal authorization controls, both of which fail to enforce a real boundary. The scf_get_id_upload endpoint issues a valid scf_upload_file_removal nonce to any unauthenticated visitor on request. The removal endpoint's secondary hash check relies on a hardcoded salt embedded directly in the plugin source, which allows the required hash to be forged offline. Neither mechanism restricts the caller.
Successful deletion of wp-config.php triggers WordPress to enter the initial setup flow. An attacker reaching that flow first can point the installation at a database they control and achieve remote code execution through PHP file writes or plugin uploads.
Root Cause
The root cause is a combination of missing path validation in removeUploadDir [CWE-22] and broken authorization on the request path. The nonce issuance endpoint does not gate access on authentication or capability. The hash verification depends on a static secret shipped in the plugin, defeating its purpose as a shared secret.
Attack Vector
The attack requires only network access to the target WordPress site. An unauthenticated attacker requests a nonce from scf_get_id_upload, computes the forgeable hash using the hardcoded salt, and calls the removal endpoint with a traversal payload targeting a file outside the upload directory. Refer to the Wordfence Vulnerability Report and the plugin source at WordPress Plugin Trac (file.php line 1387) for the affected code.
No verified public exploit code is available at the time of publication. The vulnerability is described in prose to avoid fabricating exploit payloads.
Detection Methods for CVE-2026-14487
Indicators of Compromise
- Unexpected HTTP requests to admin-ajax.php or REST endpoints invoking scf_get_id_upload or the file removal action from unauthenticated sessions.
- Missing or truncated wp-config.php, .htaccess, or index.php files on WordPress hosts running the plugin.
- WordPress site unexpectedly redirecting to /wp-admin/install.php, indicating configuration file deletion.
- Web server logs showing path traversal sequences (../) in parameters passed to Simple Coherent Form endpoints.
Detection Strategies
- Alert on HTTP requests containing scf_upload_file_removal combined with path traversal characters in body or query parameters.
- Monitor for anonymous access to scf_get_id_upload followed shortly by requests to the file removal endpoint from the same source IP.
- Correlate file deletion events on WordPress document roots with inbound requests to the plugin's AJAX actions.
Monitoring Recommendations
- Enable file integrity monitoring on WordPress core files, particularly wp-config.php, .htaccess, and plugin directories.
- Ingest WordPress and web server logs into a centralized analytics platform and alert on requests to plugin endpoints from unauthenticated origins.
- Review outbound database connections after suspected exploitation to detect attacker-controlled reinstallation attempts.
How to Mitigate CVE-2026-14487
Immediate Actions Required
- Deactivate the Simple Coherent Form plugin on all WordPress sites until a patched version is installed.
- Restrict access to admin-ajax.php from untrusted networks using a web application firewall while the plugin is present.
- Verify the integrity of wp-config.php and other critical WordPress files, and restore from backup if tampering is detected.
- Rotate database credentials, WordPress secret keys, and administrator passwords if compromise is suspected.
Patch Information
At the time of NVD publication (2026-07-08), all versions up to and including 2.4.13 are affected. Site administrators should monitor the plugin's WordPress.org listing and the Wordfence Vulnerability Report for a fixed release and upgrade immediately once available.
Workarounds
- Remove the plugin entirely if it is not business-critical.
- Deploy web application firewall rules that block requests to scf_get_id_upload and the file removal action from unauthenticated users.
- Set restrictive filesystem permissions so the PHP process cannot delete files outside the intended upload directory.
- Move wp-config.php one directory above the WordPress web root, where WordPress will still load it but path traversal from the plugin cannot easily reach it.
# Example: block requests targeting the vulnerable endpoints at the web server
# Nginx snippet placed in the server block
location = /wp-admin/admin-ajax.php {
if ($arg_action ~* "scf_get_id_upload|scf_upload_file_removal") {
return 403;
}
include fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm.sock;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

