Platform
wordpress
Component
mw-wp-form
Fixed in
5.1.1
CVE-2026-4347 describes an arbitrary file access vulnerability affecting the MW WP Form plugin for WordPress. This flaw allows unauthenticated attackers to move arbitrary files on the server, potentially leading to remote code execution (RCE). The vulnerability affects versions 0 through 5.1.0 of the MW WP Form plugin and is fixed in version 5.1.1.
CVE-2026-4347 in the MW WP Form WordPress plugin allows unauthenticated attackers to move arbitrary files on the server. This is due to insufficient file path validation within the 'generateuserfilepath' and 'movetempfiletoupload_dir' functions. If an attacker can manipulate the destination path, they could move critical system files, such as wp-config.php, potentially leading to remote code execution. The risk is significant, particularly for websites relying on MW WP Form for form management and that haven't updated the plugin. The ease of exploitation, combined with the potential security impact, makes this a high-priority vulnerability to address.
The vulnerability is exploited by manipulating the file upload parameters within the MW WP Form plugin. An attacker can send a malicious request specifying an arbitrary destination path for the uploaded file. Due to inadequate validation, the plugin will move the file to the specified path, potentially allowing the attacker to overwrite critical system files. Exploitation requires the attacker to be able to interact with the plugin’s file upload functionality, typically involving access to a web form. The lack of authentication makes exploitation relatively straightforward.
Exploit Status
EPSS
0.09% (26% percentile)
CISA SSVC
CVSS Vector
The most effective solution is to immediately update the MW WP Form plugin to version 5.1.1 or higher. This version corrects the vulnerability by implementing more robust file path validation. Additionally, review file and directory permissions on the website to ensure only authorized users have access. Implementing a Web Application Firewall (WAF) can provide an additional layer of protection by blocking exploitation attempts. Monitoring server logs for suspicious activity can also help detect and respond to potential attacks.
Update to version 5.1.1, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
If you cannot update immediately, consider temporarily disabling the MW WP Form plugin until you can. You can also implement additional security measures, such as a WAF, to mitigate the risk.
If you are using a version prior to 5.1.1 of MW WP Form, your website is vulnerable. You can verify the plugin version in the WordPress admin panel, under the 'Plugins' section.
There are WordPress vulnerability scanners that can detect this vulnerability. You can also manually review the plugin code to identify the vulnerable functions.
A WAF (Web Application Firewall) is a security tool that protects web applications from attacks. It can block malicious requests and prevent the exploitation of vulnerabilities.
There are several form plugins for WordPress, such as Contact Form 7, WPForms, and Gravity Forms. Research and choose a plugin with a good security reputation.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.