You are currently viewing Critical Vulnerability in WordPress Form Plugin Affects Over 200,000 Websites

Critical Vulnerability in WordPress Form Plugin Affects Over 200,000 Websites

  • Post author:
  • Post category:Blogs

Critical Vulnerability in WordPress Form Plugin Affects Over 200,000 Websites

In the ever-evolving landscape of website security, a recent discovery has put over 200,000 websites at risk. A critical vulnerability, rated an alarming 9.8 out of 10, has been identified in the MW WP Form plugin for WordPress. This vulnerability allows for potential remote code execution on affected websites, posing a serious threat to both website owners and their visitors.

Background on MW WP Form Plugin

MW WP Form is a widely-used plugin that simplifies the creation of forms on WordPress websites. Its user-friendly shortcode builder has made it a popular choice for WordPress users looking to create and customize forms with various fields and options. One of its key features is the ability for file uploads, a functionality that has unfortunately become the crux of this vulnerability.

Details of the Vulnerability

The critical issue at hand is an Unauthenticated Arbitrary File Upload Vulnerability. This security flaw allows hackers to upload potentially harmful files to a website without needing to be registered or authenticated. The vulnerability lies in the plugin’s file type check function, which, despite working correctly in identifying dangerous file types, fails to adequately prevent their upload.

Technical Analysis

Security researchers at Wordfence have shed light on this issue. They found that while the plugin’s function to check file types does identify and log dangerous file types, it does not stop the upload process if a disallowed file type is detected. This oversight means attackers could upload arbitrary PHP files and access these files to trigger their execution on the server, achieving remote code execution.

Implications of the Vulnerability

The severity of this threat cannot be overstated. Remote code execution can lead to complete site takeover, data breaches, and further spread of malicious software. The fact that this can be executed without any user permissions elevates the risk significantly.

Steps to Mitigate the Risk

In response to this discovery, Wordfence strongly advises users of the MW WP Form plugin to update to the latest version of the plugin, version 5.0.2, where this vulnerability has been patched. Website administrators should not only update their plugin but also review their site security measures to prevent similar vulnerabilities.


This incident is a stark reminder of the importance of website security and the need for constant vigilance. Regular updates and security checks are crucial in protecting your online presence from such threats. As we continue to rely more on digital platforms, the responsibility of safeguarding our digital assets becomes increasingly paramount.