Impact
The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient path validation in the generate_user_filepath and move_temp_file_to_upload_dir functions. Unauthenticated attackers can relocate any file on the server when the form includes a file‑upload field and the “Saving inquiry data in database” option is enabled. If a critical file such as wp-config.php is moved, remote code execution or site compromise can follow.
Affected Systems
Vendors and products affected are the inc2734:MW WP Form plugin for WordPress. All versions up to and including 5.1.0 are vulnerable; newer releases are not affected.
Risk and Exploitability
The flaw has a high severity CVSS score of 8.1 and an EPSS score of 1%, indicating a low but non‑zero probability of exploitation. It is not listed in the CISA KEV catalog. The attack requires no user authentication but relies on the presence of a file‑upload field and a specific form configuration. Given the potential for remote code execution, the risk is significant for any WordPress site that runs the affected plugin.
OpenCVE Enrichment