Security researchers at Wordfence have identified a critical security flaw in the MW WP Form plugin, affecting versions 5.0.1 and earlier. The vulnerability allows unauthenticated threat actors to exploit the plugin by uploading arbitrary files, including potentially malicious PHP backdoors, with the ability to execute these files on the server.
The MW WP Form plugin is utilized to simplify form creation on WordPress websites using a shortcode builder. It enables users to easily create and customize forms with various fields and options, including a feature that allows file uploads using a specific shortcode for data collection. However, it is this specific feature that is exploitable in the identified vulnerability.
The security issue, categorized as an Unauthenticated Arbitrary File Upload Vulnerability, permits hackers to upload potentially harmful files to a website without needing to be registered with the website or possess user permissions. This type of vulnerability can lead to remote code execution, enabling attackers to exploit the website and its visitors. The plugin’s file type check function, while detecting dangerous file types, does not prevent the uploading of these files, ultimately allowing attackers to upload arbitrary PHP files and execute them on the server.
The severity of this threat is dependent on the requirement that the “Saving inquiry data in database” option in the form settings must be enabled for the security gap to be exploited. The advisory rates the vulnerability as critical with a score of 9.8 out of 10.
In response to the identified security flaw, Wordfence strongly advises users of the MW WP Form plugin to update to version 5.0.2, where the vulnerability has been patched. This is especially critical for users who have enabled the “Saving inquiry data in database” option, as no permission levels are needed to execute this attack.
In conclusion, the identified security flaw in the MW WP Form plugin poses a critical threat to WordPress website owners. Users are urged to immediately update to version 5.0.2 to mitigate the risk of potential exploitation. Failure to update could result in attackers being able to upload and execute malicious code on the server, compromising the security and integrity of the website and its visitors.
Read Full Article