Description
The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to and including 5.1.1. This is due to insufficient validation of the $name parameter (upload field key) passed to the generate_user_file_dirpath() function, which uses WordPress's path_join() — a function that returns absolute paths unchanged, discarding the intended base directory. The attacker-controlled key is injected via the mwf_upload_files[] POST parameter, which is loaded into the plugin's Data model via _set_request_valiables(). During form processing, regenerate_upload_file_keys() iterates over these keys and calls generate_user_filepath() with the attacker-supplied key as the $name argument — the key survives validation because the targeted file (e.g., wp-config.php) genuinely exists at the absolute path. The _get_attachments() method then re-reads the same surviving keys and passes the resolved file path to move_temp_file_to_upload_dir(), which calls rename() to move the file into the uploads folder. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). The vulnerability is only exploitable if a file upload field is added to the form and the “Saving inquiry data in database” option is enabled.
Published: 2026-04-08
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The MW WP Form plugin for WordPress contains a flaw that lets an unauthenticated attacker move any file on the server. The problem occurs because the plugin does not properly validate the file key supplied in the mwf_upload_files[] POST parameter; the path resolution routine keeps an absolute path and later a rename operation copies the file into the uploads directory. An attacker can therefore relocate sensitive files, such as wp-config.php, into a web‑exposed folder and enable further exploitation. This weakness is a classic Arbitrary File Move (CWE‑22) and can result in remote code execution when critical files are moved to publicly accessible locations.

Affected Systems

All installations of the inc2734 MW WP Form plugin that are version 5.1.1 or earlier. An attack is possible only when the form contains at least one file upload field and the "Saving inquiry data in database" setting is enabled. The vulnerability applies to any WordPress site that uses such a form and has not yet applied the official update.

Risk and Exploitability

The flaw carries a CVSS score of 8.1, indicating a high severity vulnerability, and is marked as unauthenticated, meaning no user credentials are required. While an EPSS score is not currently available and the vulnerability has not yet been listed in the CISA KEV catalog, the straightforward exploitation path—sending a crafted POST request with an absolute file key—makes the risk significant. Attackers could move privileged files, expose them via the uploads directory, and potentially execute remote code. Environmental factors such as the presence of a file upload field and the database‑saving option are the only prerequisites for exploitation.

Generated by OpenCVE AI on April 8, 2026 at 22:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MW WP Form plugin release, which removes the path‑validation flaw.
  • If an update cannot be applied immediately, deactivate the form’s "Saving inquiry data in database" option or remove all upload fields from affected forms.
  • When staying on older versions, restrict file uploads to approved MIME types and validate file names against a whitelist to prevent absolute paths.
  • Monitor web server logs for unexpected file rename or move operations that could indicate exploitation attempts.
  • Implement general WordPress hardening practices, such as limiting upload directory permissions and reviewing user capabilities to reduce overall risk.

Generated by OpenCVE AI on April 8, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Inc2734
Inc2734 mw Wp Form
Wordpress
Wordpress wordpress
Vendors & Products Inc2734
Inc2734 mw Wp Form
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to and including 5.1.1. This is due to insufficient validation of the $name parameter (upload field key) passed to the generate_user_file_dirpath() function, which uses WordPress's path_join() — a function that returns absolute paths unchanged, discarding the intended base directory. The attacker-controlled key is injected via the mwf_upload_files[] POST parameter, which is loaded into the plugin's Data model via _set_request_valiables(). During form processing, regenerate_upload_file_keys() iterates over these keys and calls generate_user_filepath() with the attacker-supplied key as the $name argument — the key survives validation because the targeted file (e.g., wp-config.php) genuinely exists at the absolute path. The _get_attachments() method then re-reads the same surviving keys and passes the resolved file path to move_temp_file_to_upload_dir(), which calls rename() to move the file into the uploads folder. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). The vulnerability is only exploitable if a file upload field is added to the form and the “Saving inquiry data in database” option is enabled.
Title MW WP Form <= 5.1.1 - Unauthenticated Arbitrary File Move via regenerate_upload_file_keys
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Inc2734 Mw Wp Form
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-10T20:50:10.628Z

Reserved: 2026-04-02T17:45:46.532Z

Link: CVE-2026-5436

cve-icon Vulnrichment

Updated: 2026-04-10T20:50:06.800Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T21:17:01.690

Modified: 2026-04-24T18:05:09.240

Link: CVE-2026-5436

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:20Z

Weaknesses