Product
The MW WP Form plugin for WordPress is vulnerable to arbitrary file move/read (CVE-2026-5436) due to insufficient validation of the $name parameter, allowing unauthenticated attackers to move arbitrary files, potentially leading to remote code execution.