Vulnerabilities and security researches formw-wp-form mw-wp-form

Direction: ascending

Jun 06, 2024

MW WP Form # f8ff86f77b0d6ce822aaa5af5c71d680ab99821f

CVE, Research URL: f8ff86f77b0d6ce822aaa5af5c71d680ab99821f
Home page URL: Security reports for MW WP Form
Application: MW WP Form
Date: May 08, 2023
Research Description: MW WP Form [mw-wp-form] < 4.4.3 (closed) MW WP Form <= 4.4.2 - Directory Traversal via _file_upload The MW WP Form plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.4.2 via the _file_upload function. This allows unauthenticated attackers to upload files of allowed types to arbitrary directories on the site.
Affected versions: max 4.4.3.
Status: vulnerable

MW WP Form # CVE-2023-6559

CVE, Research URL: CVE-2023-6559
Home page URL: Security reports for MW WP Form
Application: MW WP Form
Date: Dec 16, 2023
Research Description: The MW WP Form plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 5.0.3. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.
Affected versions: max 5.0.4.
Status: vulnerable

MW WP Form # CVE-2024-24804

CVE, Research URL: CVE-2024-24804
Home page URL: Security reports for MW WP Form
Application: MW WP Form
Date: Feb 10, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in websoudan MW WP Form allows Stored XSS.This issue affects MW WP Form: from n/a through 5.0.6.
Affected versions: max 5.1.0.
Status: vulnerable

MW WP Form # CVE-2023-28409

CVE, Research URL: CVE-2023-28409
Home page URL: Security reports for MW WP Form
Application: MW WP Form
Date: May 23, 2023
Research Description: Unrestricted upload of file with dangerous type exists in MW WP Form versions v4.4.2 and earlier, which may allow a remote unauthenticated attacker to upload an arbitrary file.
Affected versions: max 4.4.3.
Status: vulnerable

MW WP Form # CVE-2023-28408

CVE, Research URL: CVE-2023-28408
Home page URL: Security reports for MW WP Form
Application: MW WP Form
Date: May 23, 2023
Research Description: Directory traversal vulnerability in MW WP Form versions v4.4.2 and earlier allows a remote unauthenticated attacker to alter the website or cause a denial-of-service (DoS) condition, and obtain sensitive information depending on settings.
Affected versions: max 4.4.3.
Status: vulnerable

MW WP Form # CVE-2023-6316

CVE, Research URL: CVE-2023-6316
Home page URL: Security reports for MW WP Form
Application: MW WP Form
Date: Jan 11, 2024
Research Description: The MW WP Form plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the '_single_file_upload' function in versions up to, and including, 5.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected versions: max 5.0.2.
Status: vulnerable

Jun 10, 2024

MW WP Form # CVE-2023-46206

CVE, Research URL: CVE-2023-46206
Home page URL: Security reports for MW WP Form
Application: MW WP Form
Date: Jan 02, 2025
Research Description: Missing Authorization vulnerability in websoudan MW WP Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MW WP Form: from n/a through 4.4.5.
Affected versions: max 5.0.0.
Status: vulnerable

Apr 13, 2026

MW WP Form # CVE-2026-5436

CVE, Research URL: CVE-2026-5436
Home page URL: Security reports for MW WP Form
Application: MW WP Form
Date: Apr 09, 2026
Research Description: The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to and including 5.1.1. This is due to insufficient validation of the $name parameter (upload field key) passed to the generate_user_file_dirpath() function, which uses WordPress's path_join() — a function that returns absolute paths unchanged, discarding the intended base directory. The attacker-controlled key is injected via the mwf_upload_files[] POST parameter, which is loaded into the plugin's Data model via _set_request_valiables(). During form processing, regenerate_upload_file_keys() iterates over these keys and calls generate_user_filepath() with the attacker-supplied key as the $name argument — the key survives validation because the targeted file (e.g., wp-config.php) genuinely exists at the absolute path. The _get_attachments() method then re-reads the same surviving keys and passes the resolved file path to move_temp_file_to_upload_dir(), which calls rename() to move the file into the uploads folder. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). The vulnerability is only exploitable if a file upload field is added to the form and the “Saving inquiry data in database” option is enabled.
Affected versions: max 5.1.2.
Status: vulnerable

MW WP Form # CVE-2026-4347

CVE, Research URL: CVE-2026-4347
Home page URL: Security reports for MW WP Form
Application: MW WP Form
Date: Apr 02, 2026
Research Description: The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the 'generate_user_filepath' function and the 'move_temp_file_to_upload_dir' function in all versions up to, and including, 5.1.0. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). The vulnerability is only exploitable if a file upload field is added to the form and the “Saving inquiry data in database” option is enabled.
Affected versions: max 5.1.1.
Status: vulnerable

May 16, 2026

MW WP Form # CVE-2026-6206

CVE, Research URL: CVE-2026-6206
Home page URL: Security reports for MW WP Form
Application: MW WP Form
Date: May 14, 2026
Research Description: The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the _get_post_property_from_querystring() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
Affected versions: max 5.1.3.
Status: vulnerable