Description
The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the _get_post_property_from_querystring() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
Published: 2026-05-14
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The MW WP Form plugin for WordPress has an insufficient access control check that allows unauthenticated users to retrieve post data through the 'post_id' query parameter. This allows attackers to read the contents or metadata of password protected, private, or draft posts, compromising confidential information. The weakness is a classic Insecure Direct Object Reference represented by CWE‑639.

Affected Systems

The vulnerability affects all MW WP Form versions up to and including 5.1.2. The plugin is a WordPress plugin developed by websoudan and is publicly available through the WordPress plugin repository. No specific operating system or server platform is mentioned; the issue exists regardless of the host environment.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate level of severity. EPSS data are not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by crafting a URL that includes an arbitrary post_id; no authentication is required. No publicly documented exploit exists at this time, but the moderate score and lack of mitigation in affected versions mean the risk is non‑negligible.

Generated by OpenCVE AI on May 14, 2026 at 10:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MW WP Form to version 5.1.3 or later to remove the insecure access check
  • Disable the use of the 'post_id' query parameter in URLs until the plugin is updated
  • Ensure that any requests to post data require authentication and validate the user's role against the post status

Generated by OpenCVE AI on May 14, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Web-soudan
Web-soudan mw Wp Form
Wordpress
Wordpress wordpress
Vendors & Products Web-soudan
Web-soudan mw Wp Form
Wordpress
Wordpress wordpress

Thu, 14 May 2026 09:15:00 +0000

Type Values Removed Values Added
Description The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the _get_post_property_from_querystring() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
Title MW WP Form <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'post_id' Query Parameter
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Web-soudan Mw Wp Form
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-14T10:42:52.973Z

Reserved: 2026-04-13T11:52:59.172Z

Link: CVE-2026-6206

cve-icon Vulnrichment

Updated: 2026-05-14T10:42:48.424Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T09:16:27.497

Modified: 2026-05-14T14:28:41.283

Link: CVE-2026-6206

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T10:30:06Z

Weaknesses