MW WP Form Vulnerability – Improper Limitation of File Name to Unauthenticated Arbitrary File Deletion – CVE-2023-6559 | WordPress Plugin Vulnerability Report

Plugin Name: MW WP Form

Key Information:

  • Software Type: Plugin
  • Software Slug: mw-wp-form
  • Software Status: Active
  • Software Author: inc2734
  • Software Downloads: 1,536,050
  • Active Installs: 200,000
  • Last Updated: December 15, 2023
  • Patched Versions: 5.0.4
  • Affected Versions: <= 5.0.3

Vulnerability Details:

  • Name: MW WP Form <= 5.0.3 - Improper Limitation of File Name to Unauthenticated Arbitrary File Deletion
  • Title: Improper Limitation of File Name to Unauthenticated Arbitrary File Deletion
  • Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CVE: CVE-2023-6559
  • CVSS Score: 7.5 (High)
  • Publicly Published: December 15, 2023
  • Researcher: Thomas Sanzey
  • Description: The MW WP Form plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 5.0.3. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.


The MW WP Form for WordPress has a vulnerability in versions up to and including 5.0.3 that allows unauthenticated arbitrary file deletion. This vulnerability has been patched in version 5.0.4.

Detailed Overview:

The vulnerability exists because the MW WP Form plugin does not properly validate file paths before allowing files to be deleted. By manipulating the file path, an unauthenticated attacker can trick the plugin into deleting sensitive files like wp-config.php. This could expose database credentials or allow the attacker to insert malicious code and takeover the site. The vulnerability was reported by researcher Thomas Sanzey and has been assigned CVE-2023-6559 with a high severity CVSS score of 7.5. Users are urged to update immediately to prevent compromise.

Advice for Users:

  1. Immediate Action: Update to version 5.0.4 or higher as soon as possible.
  2. Check for Signs of Vulnerability: Review server logs for unexpected file deletions or other suspicious activity.
  3. Alternate Plugins: Consider alternative form plugins like Contact Form 7 or Gravity Forms.
  4. Stay Updated: Always keep plugins updated to prevent vulnerabilities.


MW WP Form has addressed this vulnerability quickly by releasing patched version 5.0.4. Users should install this update immediately to prevent unauthenticated file deletion attacks. Proper plugin hygiene and timely updates remains critical for site security.


Detailed Report:

Keeping your WordPress website and its plugins up-to-date is critical for security, as outdated software can expose dangerous vulnerabilities. This point has been underscored once again by the recent disclosure of a high severity file deletion vulnerability in the popular MW WP Form plugin, which is active on over 200,000 sites. As a busy small business owner, you may not have time to stay on top of threats like this, but neglecting security updates can have serious consequences.

MW WP Form is a widely used WordPress contact form plugin, with over 1.5 million downloads. Unfortunately, versions up to and including 5.0.3 contain a vulnerability that can allow attackers to delete sensitive files on your site if you are running an outdated copy. Specifically, the plugin fails to validate file paths properly before allowing deletions. By exploiting this, an attacker could delete critical files like wp-config.php even without being logged in, known as an “unauthenticated” attack.

The impacts of such an attack could be severe:

  • Exposure of database credentials in wp-config, enabling data theft
  • Malicious code insertion leading to site takeover
  • Injection of malware to infect your site visitors
  • Permanent loss of key site files and data

Clearly, keeping MW WP Form updated is essential. The developer has released version 5.0.4 to patch this particular vulnerability, and users can update manually in their WordPress dashboards or by contacting their system administrator. Alternatively, switching to another form plugin like Contact Form 7 or Gravity Forms avoids the risk specific to MW WP Form as well.

This is not the first vulnerability found in this plugin recently either. There have been three other serious security flaws reported since May 2023, indicating the plugin has not had adequate security safeguards in place. This track record underscores the importance of maintaining awareness and prompt updates.

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

MW WP Form Vulnerability – Improper Limitation of File Name to Unauthenticated Arbitrary File Deletion – CVE-2023-6559 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment