{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/file-move/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-4347"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","file-move","rce"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe MW WP Form plugin for WordPress is susceptible to an arbitrary file moving vulnerability identified as CVE-2026-4347. This flaw stems from a lack of proper file path validation within the \u0026lsquo;generate_user_filepath\u0026rsquo; and \u0026lsquo;move_temp_file_to_upload_dir\u0026rsquo; functions. All versions of the plugin up to and including 5.1.0 are affected. An unauthenticated attacker can exploit this vulnerability to move arbitrary files on the server, potentially overwriting or relocating critical system files. The most severe outcome is remote code execution, which can be achieved by moving files such as \u0026lsquo;wp-config.php\u0026rsquo; to a location where its contents are exposed. The vulnerability is only exploitable when a file upload field exists on a form and the “Saving inquiry data in database” option is enabled, narrowing the attack surface but increasing the risk for affected installations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using a vulnerable version of the MW WP Form plugin (\u0026lt;= 5.1.0) with a file upload field enabled and the \u0026ldquo;Saving inquiry data in database\u0026rdquo; option turned on.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the WordPress site, targeting the file upload functionality of the MW WP Form plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the file path within the request, exploiting the insufficient validation in the \u0026lsquo;generate_user_filepath\u0026rsquo; function to specify a target file for movement.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;move_temp_file_to_upload_dir\u0026rsquo; function is triggered, attempting to move the uploaded file to the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper validation, the targeted file (e.g., wp-config.php) is successfully moved to a new location on the server.\u003c/li\u003e\n\u003cli\u003eIf wp-config.php is moved to a publicly accessible directory, the database credentials and other sensitive information become exposed.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the exposed wp-config.php file, extracting database credentials and other sensitive information.\u003c/li\u003e\n\u003cli\u003eUsing the obtained database credentials, the attacker gains unauthorized access to the WordPress database, potentially leading to remote code execution or complete site compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4347 allows unauthenticated attackers to move arbitrary files within the WordPress server\u0026rsquo;s file system. This can lead to the exposure of sensitive configuration files like \u0026lsquo;wp-config.php\u0026rsquo;, leading to full database and site compromise. While the number of affected installations is currently unknown, a successful attack can have devastating consequences, including data theft, website defacement, and remote code execution. The impact is limited to sites using the vulnerable MW WP Form plugin with specific configuration settings enabled.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the MW WP Form plugin to the latest version (greater than 5.1.0) to patch CVE-2026-4347.\u003c/li\u003e\n\u003cli\u003eAs a preventative measure, implement file integrity monitoring on critical files like \u0026lsquo;wp-config.php\u0026rsquo; to detect unauthorized modifications or movement. Use file_event logs to trigger alerts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect MW WP Form Arbitrary File Move Attempt\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eReview WordPress access logs for suspicious file upload requests, focusing on requests to the MW WP Form plugin\u0026rsquo;s upload handler.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T06:16:23Z","date_published":"2026-04-02T06:16:23Z","id":"/briefs/2026-04-mw-wp-form-file-move/","summary":"The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation, allowing unauthenticated attackers to move arbitrary files on the server, potentially leading to remote code execution.","title":"MW WP Form WordPress Plugin Arbitrary File Move Vulnerability (CVE-2026-4347)","url":"https://feed.craftedsignal.io/briefs/2026-04-mw-wp-form-file-move/"}],"language":"en","title":"CraftedSignal Threat Feed — File-Move","version":"https://jsonfeed.org/version/1.1"}