MW WP Form plugin for WordPress has critical flaw exposing 200k installs

published: Dec. 4, 2023

Take action: If you are using MW WP Forms plugin, update ASAP. If you are unable for whatever reason, disable “Saving inquiry data in database” option in the plugin’s form settings as a temporary stopgap. But that may break your site, so push for the update.


Learn More

Security experts from Wordfence have identified a serious vulnerability in the MW WP Form plugin which permits unauthenticated attackers to upload any file, including harmful PHP backdoors, and execute them on the server.

The MW WP Form plugin is a tool for creating forms on WordPress sites which allows easy customization of forms with various fields and options. A notable feature of this plugin is the ability to upload files using the [mwform_file name="file"] shortcode, intended for data collection. Unfortunately, this feature is at the core of the identified security risk.

The vulnerability is tracked as CVE-2023-6316 (CVSS3 score 9.8) and is caused by a bug in the handling of unsafe file types. While the function effectively identifies unsafe file types, it fails by throwing a runtime exception for disallowed file types instead of stopping the file upload. This issue results in the logging of the dangerous file type but not preventing its upload. This enables hackers to upload dangerous files to a website without needing to be registered or have specific user permissions causing remote code execution and compromising the website and its visitors.

The vulnerability's impact is contingent on the “Saving inquiry data in database” option being enabled in the plugin’s form settings.

This flaw affects MW WP Form plugin versions up to 5.0.1. Wordpress admins are strongly advised to update the MW WP Form plugin the latest version, 5.0.2 and disable “Saving inquiry data in database” option in the plugin’s form settings.

MW WP Form plugin for WordPress has critical flaw exposing 200k installs