200,000 WordPress Sites Affected by Arbitrary File Move Vulnerability in MW WP Form Plugin

Some links on this page are affiliate links. We may earn a commission when you click through and make a purchase, at no additional cost to you.

A high-severity vulnerability in the MW WP Form plugin has put over 200,000 WordPress sites at risk. The flaw, which allows unauthenticated attackers to move arbitrary files on the server, could lead to devastating outcomes such as site takeovers and remote code execution if exploited. Wordfence researchers discovered and disclosed the issue, which has been patched in version 5.1.1 of the plugin.

The Vulnerability: Arbitrary File Move Exploit

The vulnerability, tracked as CVE-2026-4347, stems from insufficient validation of file paths in the MW WP Form plugin’s code. Specifically, functions like generate_user_filepath and move_temp_file_to_upload_dir fail to adequately restrict absolute file paths, allowing attackers to move files such as wp-config.php. If exploited, this flaw enables unauthorized access and potentially remote code execution.

Importantly, the vulnerability is only exploitable if the “Saving inquiry data in database” option is enabled in the plugin’s settings. This option stores uploaded files on the server, where malicious actors can manipulate them. Users who rely on this feature are at heightened risk.

Technical Analysis of the Exploit

The MW WP Form plugin offers a shortcode-based form builder, including a file upload functionality. While it implements protections against relative path traversal, it fails to validate absolute paths properly. The exploitation process involves sending a crafted request to the server, targeting critical files such as wp-config.php.

The vulnerable code resides in the MW_WP_Form_Directory::generate_user_filepath and MWF_Functions::move_temp_file_to_upload_dir functions. Although these functions attempt to reject invalid paths, their validation mechanisms fall short when handling absolute paths or null characters. This oversight creates an opening for attackers to move files to unintended locations.

Response and Mitigation

Wordfence disclosed the vulnerability to the plugin’s developer, Monkey Wrench Inc., on March 24, 2026. Within two days, the developer registered on the Wordfence Vulnerability Management Portal and released a patch in version 5.1.1. Users are strongly urged to update to this version immediately to secure their sites.

Wordfence Premium, Wordfence Care, and Wordfence Response users are already protected against exploits targeting this vulnerability via Local File Inclusion protections in the Wordfence firewall.

What This Means for WordPress Users

This vulnerability highlights the critical importance of regular plugin updates and proactive security measures. For site owners using MW WP Form, updating to version 5.1.1 is non-negotiable. If you manage client sites, verify that this update is applied immediately. Agencies should consider implementing automated tools to monitor plugin vulnerabilities and enforce timely updates.

For developers, this incident underscores the need for robust input validation and comprehensive security reviews during development. Plugins with file upload functionalities are particularly susceptible to attacks, and developers must ensure strict validation for both relative and absolute file paths.

Finally, this case illustrates the value of bug bounty programs in enhancing ecosystem security. Researchers like ISMAILSHADOW play a vital role in identifying vulnerabilities before they can be exploited. WordPress professionals should encourage vendors to participate in such programs.

Related News

• Latest WordPress News & Updates