cleantalk
Vulnerabilities and Security Researches

MW WP Form, CVE-2023-6559

CVE, Research URL

CVE-2023-6559

Home page URL

Security reports for MW WP Form

Application

MW WP Form

Published on
Dec 16, 2023
Research Description
The MW WP Form plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 5.0.3. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.
Affected versions
max 5.0.4.
Status
vulnerable
Previous vulnerability researches
MW WP Form (CVE-2026-5436) , Apr 13, 2026
MW WP Form (CVE-2026-4347) , Apr 13, 2026
MW WP Form (f8ff86f77b0d6ce822aaa5af5c71d680ab99821f) , Jun 06, 2024
MW WP Form (CVE-2023-6559) , Jun 06, 2024
MW WP Form (CVE-2024-24804) , Jun 06, 2024
New vulnerability
Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One (CVE-2026-48966) , Jun 10, 2026
Geo Mashup (CVE-2026-48967) , Jun 10, 2026
Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms (CVE-2026-49109) , Jun 10, 2026
WP-Paginate (CVE-2021-47982) , Jun 10, 2026
Welcart e-Commerce (CVE-2026-49775) , Jun 10, 2026