WordPress Plugin Vulnerability Report – MW WP Form – Unauthenticated Arbitrary File Upload – CVE-2023-6316
Plugin Name: MW WP Form
Key Information:
- Software Type: Plugin
- Software Slug: mw-wp-form
- Software Status: Active
- Software Author: inc2734
- Software Downloads: 1,305,500
- Active Installs: 200,000
- Last Updated: December 4, 2023
- Patched Versions: 5.0.2
- Affected Versions: <= 5.0.1
Vulnerability Details:
- Name: MW WP Form <= 5.0.1 - Unauthenticated Arbitrary File Upload
- Title: Unauthenticated Arbitrary File Upload
- Type: Unrestricted Upload of File with Dangerous Type
- CVE: CVE-2023-6316
- CVSS Score: 9.8 (Critical)
- Publicly Published: December 4, 2023
- Researcher: István Márton
- Description: The MW WP Form plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the '_single_file_upload' function in versions up to, and including, 5.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Summary:
The MW WP Form for WordPress has a vulnerability in versions up to and including 5.0.1 that allows unauthenticated arbitrary file uploads due to insufficient validation. This vulnerability has been patched in version 5.0.2.
Detailed Overview:
István Márton discovered an unauthenticated arbitrary file upload vulnerability in the WordPress MW WP Form plugin versions up to and including 5.0.1. The vulnerability is due to insufficient file type validation in the '_single_file_upload' function. This allows unauthenticated attackers to upload arbitrary files, including PHP files, to the affected site's server. Successful exploitation of this vulnerability may lead to remote code execution.
Advice for Users:
- Immediate Action: Update to version 5.0.2 as soon as possible.
- Check for Signs of Vulnerability: Review your file manager for unexpected files. Also check for signs of malicious redirects or code execution.
- Alternate Plugins: Consider alternative form plugins like Formidable Forms or Contact Form 7 as a precaution.
- Stay Updated: Always keep plugins updated to avoid vulnerabilities.
Conclusion:
The prompt patch release underscores the importance of timely updates. Users should update to version 5.0.2 or later to secure their WordPress installations.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/mw-wp-form
Detailed Report:
Beware This Critical WordPress Plugin Vulnerability
Keeping your WordPress website secure should be a top priority – but with plugins constantly needing updates, it can be a challenge even for experienced users. Unfortunately, skipping those updates can leave your site seriously exposed.
Case in point: a dangerous vulnerability was recently disclosed in MW WP Form, a popular form building plugin with over 200,000 active installs. The plugin allows easy creation of contact forms, surveys and more.
But researchers discovered a flaw allowing unauthenticated arbitrary file uploads in versions up to and including 5.0.1. Specifically, the vulnerability stems from insufficient validation of uploaded file types in the _single_file_upload
function.
This effectively gives attackers an open door to upload malicious files like backdoors for stealing data or inserting rogue code. And since authentication isn’t required to exploit it, your site could be compromised at any time.
Just How Bad Is This Vulnerability?
The vulnerability received a severity score of 9.8 out of 10 on the CVSS scale, making it critical. Attacks could lead to total site takeovers, data theft, SEO sabotage and black hat techniques being run on your site.
Unfortunately, automated attacks on vulnerable WordPress sites are common – so hackers could easily exploit the flaw en masse if the patch isn’t applied.
Updating ASAP Is a Must
The good news is the developers released a patched update fixing the vulnerability. Upgrading to version 5.0.2 blocks this attack vector by restricting file uploads to safe types.
You’ll also want to check your file manager under wp-content for any unexpected files that may have been maliciously uploaded before updating. Wiping those will help disinfect your site if it was compromised.
And of course, this is an urgent reminder about staying on top of updates in general. Skip them, and you may end up with a hacked site. Set calendar reminders if needed to stay secure.
The Bigger Picture
Looking more broadly, MW WP Form has faced security issues before. Since May 2023, two previous vulnerabilities have been reported – so additional vigilance with this plugin is warranted.
Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.
Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.