CVE-2026-5436
Arbitrary File Move in MW WP Form Plugin Enables RCE
Publication date: 2026-04-08
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mw_wp_form | mw_wp_form | to 5.1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The MW WP Form plugin for WordPress has a vulnerability called Arbitrary File Move/Read in all versions up to 5.1.1. This happens because the plugin does not properly validate the $name parameter, which is used to generate file paths. An attacker can supply a specially crafted key through the mwf_upload_files[] POST parameter that bypasses validation and points to an absolute file path on the server.
During form processing, the plugin processes these keys and moves files from their original locations to the uploads folder. Because the attacker can specify any file path, they can move critical files like wp-config.php. This vulnerability can be exploited without authentication but requires that a file upload field is present in the form and that the option to save inquiry data in the database is enabled.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to move arbitrary files on the server. By moving sensitive files such as wp-config.php into the uploads directory, attackers can potentially execute remote code on the server.
The impact includes full compromise of the affected WordPress site, leading to data breaches, site defacement, or further attacks on the hosting environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to move arbitrary files on the server, potentially leading to remote code execution. This can result in unauthorized access to sensitive data or disruption of service.
Such unauthorized access and potential data breaches could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring system integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should ensure that you are not using any version of the MW WP Form plugin up to and including 5.1.1, as these versions are vulnerable.
Additionally, avoid enabling the "Saving inquiry data in database" option if you have a file upload field added to your form, since the vulnerability requires both conditions to be exploitable.
Applying updates or patches from the plugin developer once available is also recommended to fix the insufficient validation issue.