Plattform
wordpress
Komponente
mw-wp-form
Behoben in
5.1.2
5.1.2
CVE-2026-5436 describes an Arbitrary File Access vulnerability discovered in the MW WP Form plugin for WordPress. This flaw allows attackers to potentially move or read arbitrary files on the server due to insufficient input validation. The vulnerability affects versions of MW WP Form up to and including 5.1.1, and a patch is available in version 5.1.2.
An attacker exploiting CVE-2026-5436 can leverage the insufficient validation of the $name parameter within the generateuserfile_dirpath() function to manipulate file paths. This allows them to move or read files outside the intended upload directory. Successful exploitation could lead to unauthorized access to sensitive data, including configuration files, database credentials, or even system files. The impact is amplified if the WordPress installation has weak file permissions or if the attacker can combine this vulnerability with other exploits to gain broader control over the server. The ability to read arbitrary files represents a significant security risk, potentially exposing critical information and enabling further malicious activity.
CVE-2026-5436 was publicly disclosed on 2026-04-08. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that a PoC will emerge. It is not currently listed on the CISA KEV catalog. The vulnerability's ease of exploitation, combined with the widespread use of MW WP Form, suggests a medium probability of exploitation.
WordPress websites utilizing the MW WP Form plugin, particularly those running versions 5.1.1 or earlier, are at risk. Shared hosting environments where users have limited control over plugin updates are especially vulnerable. Sites that rely on MW WP Form for critical data collection or form submissions are also at higher risk.
• wordpress / plugin:
wp plugin list | grep mwf• wordpress / plugin: Check plugin version in WordPress admin dashboard.
• wordpress / plugin: Search plugin files (e.g., wp-content/plugins/mw-wp-form/) for instances of generateuserfiledirpath() and pathjoin() to identify potential vulnerable code.
• generic web: Monitor web server access logs for requests containing suspicious characters or patterns in the mwfuploadfiles[] parameter.
disclosure
Exploit-Status
EPSS
0.24% (47% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-5436 is to immediately upgrade the MW WP Form plugin to version 5.1.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting file upload permissions to the WordPress user account. Additionally, review and harden file permissions on the WordPress installation to limit the potential impact of a successful exploit. Web Application Firewalls (WAFs) configured to inspect and filter POST requests for suspicious characters in the mwfuploadfiles[] parameter could also provide a layer of defense. After upgrading, confirm the fix by attempting a file upload with a crafted filename containing path traversal characters (e.g., ../../../../etc/passwd) and verifying that the upload fails with an appropriate error message.
Aktualisieren Sie auf Version 5.1.2 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-5436 is a vulnerability in MW WP Form allowing attackers to potentially read or move files due to insufficient input validation. It affects versions up to 5.1.1 and has a CVSS score of 8.1 (HIGH).
You are affected if your WordPress site uses MW WP Form version 5.1.1 or earlier. Check your plugin version immediately to determine your risk level.
Upgrade MW WP Form to version 5.1.2 or later to resolve the vulnerability. If immediate upgrade is not possible, implement temporary workarounds like restricting file upload permissions and WAF rules.
While no public exploits are currently known, the vulnerability's nature suggests a relatively low barrier to exploitation, so active exploitation is possible.
Refer to the MW WP Form official website and WordPress plugin repository for the latest security advisories and updates related to CVE-2026-5436.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.