CVE-2026-14487: The Simple Coherent Form plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path val
criticalvulnerability
security
Summary
The Simple Coherent Form plugin for WordPress (versions up to 2.4.13) has a vulnerability where attackers can delete any file on the server because the plugin doesn't properly check file paths before deletion. Since anyone can access the deletion feature without logging in, attackers could delete critical files like wp-config.php (the main configuration file) to gain control of the website through remote code execution (running malicious commands on the server).
Vulnerability Details
CVSS Score
9.1(critical)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
network
Attack Complexity
low
Privileges Required
none
User Interaction
none
Disclosure Date
July 8, 2026
Classification
Attack SophisticationModerate
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-14487
First tracked: July 8, 2026 at 02:07 AM
Classified by LLM (prompt v3) · confidence: 95%