Critical vulnerability rated 9.8/10 in the MW WP Form plugin allows potential remote code execution on vulnerable websites

Written By :

Category :


Posted On :

Share This :

Researchers from Wordfence have outlined a significant security vulnerability in the MW WP Form plugin, impacting versions 5.0.1 and earlier. This flaw enables unauthorized threat actors to take advantage of the plugin by uploading arbitrary files, potentially containing malicious PHP backdoors. These actors can then execute these files on the server. WordPress in-response has released version 6.4.2 to counteract this vulnerability.

WordPress has released this comment on the matter:

“A Remote Code Execution vulnerability that is not directly exploitable in the core, however, the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installs.”

Unauthenticated Arbitrary File Upload

Description of the vulnerability:

The MW WP Form plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the ‘_single_file_upload’ function in versions up to, and including, 5.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible.


The best way to counteract this vulnerability at the moment is to update your WordPress to the latest version according to Wordfence.