{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/mw-wp-form-plugin/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-5436"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["MW WP Form plugin"],"_cs_severities":["critical"],"_cs_tags":["wordpress","file-move","rce"],"_cs_type":"advisory","_cs_vendors":["MW WP Form"],"content_html":"\u003cp\u003eThe MW WP Form plugin for WordPress, versions up to and including 5.1.1, contains an arbitrary file move/read vulnerability (CVE-2026-5436). This vulnerability stems from insufficient validation of the \u003ccode\u003e$name\u003c/code\u003e parameter (upload field key) passed to the \u003ccode\u003egenerate_user_file_dirpath()\u003c/code\u003e function. The \u003ccode\u003epath_join()\u003c/code\u003e function returns absolute paths unchanged, bypassing intended base directory restrictions. An attacker-controlled key is injected via the \u003ccode\u003emwf_upload_files[]\u003c/code\u003e POST parameter, which is then loaded into the plugin's Data model via \u003ccode\u003e_set_request_valiables()\u003c/code\u003e. Successful exploitation requires a file upload field to be present on the form and the “Saving inquiry data in database” option to be enabled. This vulnerability allows unauthenticated attackers to move sensitive files, such as \u003ccode\u003ewp-config.php\u003c/code\u003e, potentially leading to remote code execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious HTTP POST request targeting a WordPress site with the vulnerable MW WP Form plugin installed.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a \u003ccode\u003emwf_upload_files[]\u003c/code\u003e POST parameter containing a crafted key (the \u003ccode\u003e$name\u003c/code\u003e parameter). This key will be used as the filename for the uploaded file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_set_request_valiables()\u003c/code\u003e function within the plugin loads the attacker-supplied key into the plugin's Data model.\u003c/li\u003e\n\u003cli\u003eDuring form processing, \u003ccode\u003eregenerate_upload_file_keys()\u003c/code\u003e iterates over the uploaded file keys.\u003c/li\u003e\n\u003cli\u003eFor each key, \u003ccode\u003egenerate_user_filepath()\u003c/code\u003e is called, passing the attacker-supplied key as the \u003ccode\u003e$name\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e$name\u003c/code\u003e argument is passed to the \u003ccode\u003epath_join()\u003c/code\u003e function, which incorrectly handles absolute paths.\u003c/li\u003e\n\u003cli\u003eThe _get_attachments() method then passes the resolved file path to move_temp_file_to_upload_dir(), which calls rename() to move the targeted file.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the ability to move arbitrary files to overwrite or relocate critical system files (e.g., \u003ccode\u003ewp-config.php\u003c/code\u003e), ultimately achieving remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows unauthenticated attackers to move arbitrary files on the server hosting the WordPress site. This can lead to sensitive information disclosure by moving files to a publicly accessible directory or, more critically, remote code execution by moving configuration files like \u003ccode\u003ewp-config.php\u003c/code\u003e, which contains database credentials and other sensitive information. The impact is critical, potentially leading to full server compromise. The number of affected sites depends on the adoption rate of the vulnerable plugin version.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect MW WP Form Arbitrary File Move Attempt via POST Request\u0026quot; to your SIEM to detect exploitation attempts by monitoring HTTP POST requests to the WordPress site (log source: webserver).\u003c/li\u003e\n\u003cli\u003eApply the available patch or upgrade the MW WP Form plugin to a version greater than 5.1.1 to remediate CVE-2026-5436.\u003c/li\u003e\n\u003cli\u003eEnable web server logging with detailed request information to capture the \u003ccode\u003emwf_upload_files[]\u003c/code\u003e POST parameter for forensic analysis (log source: webserver).\u003c/li\u003e\n\u003cli\u003eMonitor file system events for unexpected file movements, specifically targeting configuration files such as \u003ccode\u003ewp-config.php\u003c/code\u003e (log source: file_event).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-mw-wp-form-file-move/","summary":"The MW WP Form plugin for WordPress is vulnerable to arbitrary file move/read (CVE-2026-5436) due to insufficient validation of the $name parameter, allowing unauthenticated attackers to move arbitrary files, potentially leading to remote code execution.","title":"MW WP Form WordPress Plugin Arbitrary File Move/Read Vulnerability (CVE-2026-5436)","url":"https://feed.craftedsignal.io/briefs/2024-01-02-mw-wp-form-file-move/"}],"language":"en","title":"CraftedSignal Threat Feed - MW WP Form Plugin","version":"https://jsonfeed.org/version/1.1"}