CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2026-5436 – MW WP Form <= 5.1.1 - Unauthenticated Arbitrary File Move via regenerate_upload_file_keys
https://notcve.org/view.php?id=CVE-2026-5436
08 Apr 2026 — The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to and including 5.1.1. This is due to insufficient validation of the $name parameter (upload field key) passed to the generate_user_file_dirpath() function, which uses WordPress's path_join() — a function that returns absolute paths unchanged, discarding the intended base directory. The attacker-controlled key is injected via the mwf_upload_files[] POST parameter, which is loaded into the plugin's Data model vi... • https://github.com/web-soudan/mw-wp-form/commit/f872ab18ca670f5867b2241745daa30cd0fab861 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2026-4347 – MW WP Form <= 5.1.0 - Unauthenticated Arbitrary File Move via move_temp_file_to_upload_dir
https://notcve.org/view.php?id=CVE-2026-4347
02 Apr 2026 — The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the 'generate_user_filepath' function and the 'move_temp_file_to_upload_dir' function in all versions up to, and including, 5.1.0. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). The vulnerability is only exploitable if a file upload field is adde... • https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.0/classes/controllers/class.main.php#L271 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24804 – WordPress MW WP Form Plugin <= 5.0.6 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2024-24804
31 Jan 2024 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in websoudan MW WP Form allows Stored XSS.This issue affects MW WP Form: from n/a through 5.0.6. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en websoudan MW WP Form permite almacenar XSS. Este problema afecta a MW WP Form: desde n/a hasta 5.0.6. The MW WP Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting in vers... • https://patchstack.com/database/vulnerability/mw-wp-form/wordpress-mw-wp-form-plugin-5-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 6%CPEs: 1EXPL: 0CVE-2023-6559 – MW WP Form <= 5.0.3 - Improper Limitation of File Name to Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2023-6559
15 Dec 2023 — The MW WP Form plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 5.0.3. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible. El complemento MW WP Form para WordPress es vulnerable a la eliminación arbitraria de archivos en todas las ve... • https://plugins.trac.wordpress.org/changeset/3007879/mw-wp-form • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 8%CPEs: 1EXPL: 0CVE-2023-6316 – MW WP Form <= 5.0.1 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-6316
04 Dec 2023 — The MW WP Form plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the '_single_file_upload' function in versions up to, and including, 5.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. El complemento MW WP Form para WordPress es vulnerable a cargas de archivos arbitrarias debido a una validación insuficiente del tipo de archivo en la función '... • https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.0.1/classes/models/class.file.php#L60 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46206 – WordPress MW WP Form plugin <= 4.4.5 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-46206
19 Oct 2023 — Missing Authorization vulnerability in websoudan MW WP Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MW WP Form: from n/a through 4.4.5. Missing Authorization vulnerability in Webの相談所 MW WP Form mw-wp-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MW WP Form: from n/a through <= 4.4.5. The MW WP Form plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in versions up to, ... • https://patchstack.com/database/wordpress/plugin/mw-wp-form/vulnerability/wordpress-mw-wp-form-plugin-4-4-5-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 0CVE-2023-28408
https://notcve.org/view.php?id=CVE-2023-28408
23 May 2023 — Directory traversal vulnerability in MW WP Form versions v4.4.2 and earlier allows a remote unauthenticated attacker to alter the website or cause a denial-of-service (DoS) condition, and obtain sensitive information depending on settings. • https://jvn.jp/en/jp/JVN01093915 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 5%CPEs: 1EXPL: 0CVE-2023-28409 – MW WP Form <= 4.4.2 - Directory Traversal via _file_upload
https://notcve.org/view.php?id=CVE-2023-28409
08 May 2023 — Unrestricted upload of file with dangerous type exists in MW WP Form versions v4.4.2 and earlier, which may allow a remote unauthenticated attacker to upload an arbitrary file. The MW WP Form plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.4.2 via the _file_upload function. This allows unauthenticated attackers to upload files of allowed types to arbitrary directories on the site. • https://jvn.jp/en/jp/JVN01093915 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-434: Unrestricted Upload of File with Dangerous Type •