What the vulnerability does
01Description
The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the 'generate_user_filepath' function and the 'move_temp_file_to_upload_dir' function in all versions up to, and including, 5.1.0. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). The vulnerability is only exploitable if a file upload field is added to the form and the “Saving inquiry data in database” option is enabled.
Explanation of Vulnerability in Simple Terms
02Summary
MW WP Form versions up to 5.1.0 contain a path traversal vulnerability that allows an attacker to read, write, or delete files on the server. The vulnerability requires network access but no authentication or user interaction. An attacker can exploit this to access sensitive files, modify site content, or disrupt service availability.
What an attacker can do
03Attacker Capabilities
Read, write, or delete files on the server outside the intended directory.
Potential impact on your site
04Site Impact
Attackers can access sensitive files, modify or delete site data, or cause service disruption without needing a user account.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
April 2, 2026
CVE published
April 8, 2026
Record updated