JustAppSec
Back to news

Unauthenticated file move bug risks RCE in MW WP Form

1 min readPublished 01 Apr 2026Updated 02 Apr 2026Source: Wordfence Intelligence
CVE-2026-4347NewsWordPressWeb Security

TL;DR — An unauthenticated arbitrary file move flaw in mw-wp-form can let attackers reposition server files in ways that enable WordPress site takeover and potential remote code execution.

What happened

MW WP Form is a WordPress plugin used to build and run forms on WordPress sites.

Wordfence Intelligence published an advisory for CVE-2026-4347 describing insufficient file path validation that allows unauthenticated attackers to move arbitrary files on the server. The advisory notes this can “easily lead to remote code execution when the right file is moved (such as wp-config.php)”. Severity is CVSS 8.1 (High).

The advisory also states the exploitability precondition: the issue is only exploitable if a form includes a file upload field and the “Saving inquiry data in database” option is enabled.

File-move primitives are high-leverage because they can turn a single input-validation bug into persistent configuration tampering and eventual code execution—especially on widely deployed CMS stacks like WordPress.

Who is impacted

  • WordPress sites running the MW WP Form plugin with versions <= 5.1.0.
  • Highest risk where public forms accept file uploads and “Saving inquiry data in database” is enabled (the advisory’s stated exploitation condition).
ComponentAffected versions (per advisory)Patched versions (per advisory)
mw-wp-form<= 5.1.05.1.1

What to do now

  • Follow vendor remediation guidance and apply the latest patched release available at the time of writing.

    • "Remediation Update to version 5.1.1, or a newer patched version"

  • Inventory where mw-wp-form is installed and confirm the deployed version across fleets (including golden images, restore snapshots, and IaC-managed WordPress deployments).
  • Triage exposure by identifying which sites both (a) accept file uploads via MW WP Form and (b) have “Saving inquiry data in database” enabled.
  • If compromise is suspected, review recent filesystem changes and suspicious form submissions on pages that host MW WP Form upload fields, and rotate credentials accessible to the WordPress runtime (database credentials, SMTP/API keys).

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.

Need help?Get in touch.