<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>MW WP Form Plugin - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/mw-wp-form-plugin/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/mw-wp-form-plugin/feed.xml" rel="self" type="application/rss+xml"/><item><title>MW WP Form WordPress Plugin Arbitrary File Move/Read Vulnerability (CVE-2026-5436)</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-mw-wp-form-file-move/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-mw-wp-form-file-move/</guid><description>The MW WP Form plugin for WordPress is vulnerable to arbitrary file move/read (CVE-2026-5436) due to insufficient validation of the $name parameter, allowing unauthenticated attackers to move arbitrary files, potentially leading to remote code execution.</description><content:encoded><![CDATA[<p>The MW WP Form plugin for WordPress, versions up to and including 5.1.1, contains an arbitrary file move/read vulnerability (CVE-2026-5436). This vulnerability stems from insufficient validation of the <code>$name</code> parameter (upload field key) passed to the <code>generate_user_file_dirpath()</code> function. The <code>path_join()</code> function returns absolute paths unchanged, bypassing intended base directory restrictions. An attacker-controlled key is injected via the <code>mwf_upload_files[]</code> POST parameter, which is then loaded into the plugin's Data model via <code>_set_request_valiables()</code>. Successful exploitation requires a file upload field to be present on the form and the “Saving inquiry data in database” option to be enabled. This vulnerability allows unauthenticated attackers to move sensitive files, such as <code>wp-config.php</code>, potentially leading to remote code execution.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker crafts a malicious HTTP POST request targeting a WordPress site with the vulnerable MW WP Form plugin installed.</li>
<li>The attacker includes a <code>mwf_upload_files[]</code> POST parameter containing a crafted key (the <code>$name</code> parameter). This key will be used as the filename for the uploaded file.</li>
<li>The <code>_set_request_valiables()</code> function within the plugin loads the attacker-supplied key into the plugin's Data model.</li>
<li>During form processing, <code>regenerate_upload_file_keys()</code> iterates over the uploaded file keys.</li>
<li>For each key, <code>generate_user_filepath()</code> is called, passing the attacker-supplied key as the <code>$name</code> argument.</li>
<li>The <code>$name</code> argument is passed to the <code>path_join()</code> function, which incorrectly handles absolute paths.</li>
<li>The _get_attachments() method then passes the resolved file path to move_temp_file_to_upload_dir(), which calls rename() to move the targeted file.</li>
<li>The attacker leverages the ability to move arbitrary files to overwrite or relocate critical system files (e.g., <code>wp-config.php</code>), ultimately achieving remote code execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows unauthenticated attackers to move arbitrary files on the server hosting the WordPress site. This can lead to sensitive information disclosure by moving files to a publicly accessible directory or, more critically, remote code execution by moving configuration files like <code>wp-config.php</code>, which contains database credentials and other sensitive information. The impact is critical, potentially leading to full server compromise. The number of affected sites depends on the adoption rate of the vulnerable plugin version.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Detect MW WP Form Arbitrary File Move Attempt via POST Request&quot; to your SIEM to detect exploitation attempts by monitoring HTTP POST requests to the WordPress site (log source: webserver).</li>
<li>Apply the available patch or upgrade the MW WP Form plugin to a version greater than 5.1.1 to remediate CVE-2026-5436.</li>
<li>Enable web server logging with detailed request information to capture the <code>mwf_upload_files[]</code> POST parameter for forensic analysis (log source: webserver).</li>
<li>Monitor file system events for unexpected file movements, specifically targeting configuration files such as <code>wp-config.php</code> (log source: file_event).</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>wordpress</category><category>file-move</category><category>rce</category></item></channel></rss>