Platform
wordpress
Component
mw-wp-form
Fixed in
5.1.2
5.1.2
CVE-2026-5436 describes an Arbitrary File Access vulnerability discovered in the MW WP Form plugin for WordPress. This flaw allows attackers to potentially move or read arbitrary files on the server due to insufficient input validation. The vulnerability affects versions of MW WP Form up to and including 5.1.1, and a patch is available in version 5.1.2.
The Arbitrary File Access vulnerability in MW WP Form allows an attacker to manipulate file paths within the WordPress environment. By crafting malicious requests, specifically targeting the mwfuploadfiles[] POST parameter, an attacker can bypass intended directory restrictions and potentially read or move files. This could lead to sensitive data exposure, including configuration files, database credentials, or even the ability to overwrite critical system files, leading to complete site compromise. The lack of proper validation in the generateuserfiledirpath() function, combined with the use of pathjoin(), directly contributes to this vulnerability, allowing attackers to construct absolute file paths without restriction.
CVE-2026-5436 was publicly disclosed on 2026-04-08. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature suggests a relatively low barrier to exploitation. The EPSS score is likely to be medium, reflecting the potential impact and ease of exploitation. It has not yet been added to the CISA KEV catalog.
Exploit Status
EPSS
0.24% (47% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5436 is to immediately upgrade the MW WP Form plugin to version 5.1.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting file upload permissions on the server. Additionally, implement a Web Application Firewall (WAF) rule to block requests containing suspicious characters or patterns in the mwfuploadfiles[] parameter. Regularly review WordPress plugin installations and ensure they are from trusted sources and kept up to date.
Update to version 5.1.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5436 is a vulnerability in MW WP Form allowing attackers to potentially read or move files due to insufficient input validation. It affects versions up to 5.1.1 and has a CVSS score of 8.1 (HIGH).
You are affected if your WordPress site uses MW WP Form version 5.1.1 or earlier. Check your plugin version immediately to determine your risk level.
Upgrade MW WP Form to version 5.1.2 or later to resolve the vulnerability. If immediate upgrade is not possible, implement temporary workarounds like restricting file upload permissions and WAF rules.
While no public exploits are currently known, the vulnerability's nature suggests a relatively low barrier to exploitation, so active exploitation is possible.
Refer to the MW WP Form official website and WordPress plugin repository for the latest security advisories and updates related to CVE-2026-5436.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.