CVE-2026-4347
Arbitrary File Move in MW WP Form Plugin Enables RCE
Publication date: 2026-04-02
Last updated on: 2026-04-02
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | mw_wp_form | to 5.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the MW WP Form WordPress plugin (up to version 5.1.0) arises from insufficient validation of file paths in the functions 'generate_user_filepath' and 'move_temp_file_to_upload_dir'. This flaw allows unauthenticated attackers to move arbitrary files on the server if a file upload field is present in the form and the option to save inquiry data in the database is enabled.
Because of this, attackers can move critical files such as 'wp-config.php', potentially leading to remote code execution. The vulnerability exploits the plugin's file upload and handling mechanisms, which do include some validation and CSRF protections, but fail to adequately prevent arbitrary file moving due to path validation weaknesses.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized file manipulation on the server hosting the WordPress site. An attacker can move arbitrary files, which may lead to remote code execution if sensitive files like 'wp-config.php' are moved or replaced.
Such remote code execution can allow attackers to take control of the website, access sensitive data, modify site content, or use the server for malicious purposes. The vulnerability is exploitable without authentication, increasing the risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unusual file movements or uploads related to the MW WP Form plugin, especially if a file upload field is present and the option to save inquiry data in the database is enabled.
Since the vulnerability exploits insufficient file path validation in the 'generate_user_filepath' and 'move_temp_file_to_upload_dir' functions, detection can focus on identifying unauthorized file moves or uploads to sensitive locations such as wp-config.php.
Suggested commands to detect suspicious activity include:
- On Linux servers, use file integrity monitoring tools like 'tripwire' or 'aide' to detect unexpected changes or moves of critical files.
- Use 'find' commands to look for recently modified or moved files in the WordPress upload directories, for example: `find /path/to/wp-content/uploads/ -type f -mtime -1` to find files modified in the last day.
- Check web server logs for POST requests to forms that include file uploads, especially those targeting the MW WP Form plugin endpoints.
- Monitor for unexpected file moves or renames using audit tools like 'auditd' with rules watching the upload directories.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Update the MW WP Form plugin to a version later than 5.1.0 where this vulnerability is fixed.
- If updating is not immediately possible, disable any forms that include file upload fields and have the "Saving inquiry data in database" option enabled.
- Restrict file upload permissions and ensure that the upload directories have proper .htaccess files denying direct access, as implemented by the plugin.
- Implement additional security measures such as Web Application Firewalls (WAF) to block suspicious requests targeting the vulnerable plugin.
- Monitor logs for suspicious file movements or uploads and remove any unauthorized files immediately.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the MW WP Form plugin allows unauthenticated attackers to move arbitrary files on the server, potentially leading to remote code execution. This can result in unauthorized access to sensitive data stored on the server.
Such unauthorized file manipulation and potential data breaches can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.
Specifically, if sensitive personal or health information is stored or processed via the affected plugin, exploitation of this vulnerability could lead to violations of these regulations due to unauthorized data access or alteration.