Researchers from Wordfence have outlined a significant security vulnerability in the MW WP Form plugin, impacting versions 5.0.1 and earlier. This flaw enables unauthorized threat actors to take advantage of the plugin by uploading arbitrary files, potentially containing malicious PHP backdoors. These actors can then execute these files on the server. WordPress in-response has released version 6.4.2 to counteract this vulnerability.
WordPress has released this comment on the matter:
“A Remote Code Execution vulnerability that is not directly exploitable in the core, however, the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installs.”
Unauthenticated Arbitrary File Upload
Description of the vulnerability:
The MW WP Form plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the ‘_single_file_upload’ function in versions up to, and including, 5.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible.
- Wordfence Threat Intel – MW WP Form 5.0.1 Unauthenticated Arbitrary File Upload
The best way to counteract this vulnerability at the moment is to update your WordPress to the latest version according to Wordfence.