{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4347", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-17T16:39:37.224Z", "datePublished": "2026-04-02T05:28:07.910Z", "dateUpdated": "2026-04-03T13:56:04.174Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-02T05:28:07.910Z"}, "affected": [{"vendor": "inc2734", "product": "MW WP Form", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the 'generate_user_filepath' function and the 'move_temp_file_to_upload_dir' function in all versions up to, and including, 5.1.0. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). The vulnerability is only exploitable if a file upload field is added to the form and the \u201cSaving inquiry data in database\u201d option is enabled."}], "title": "MW WP Form <= 5.1.0 - Unauthenticated Arbitrary File Move via move_temp_file_to_upload_dir", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/194ee4a0-87c3-42e5-9676-8dd355838b78?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.0/classes/controllers/class.main.php#L271"}, {"url": "https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.0/classes/models/class.directory.php#L138"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "ISMAILSHADOW"}], "timeline": [{"time": "2026-03-26T00:22:58.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-01T16:50:15.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4347", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T13:44:20.052393Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:56:04.174Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4347", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T13:44:20.052393Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:49:07.146Z"}}], "cna": {"title": "MW WP Form <= 5.1.0 - Unauthenticated Arbitrary File Move via move_temp_file_to_upload_dir", "credits": [{"lang": "en", "type": "finder", "value": "ISMAILSHADOW"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "inc2734", "product": "MW WP Form", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-26T00:22:58.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-01T16:50:15.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/194ee4a0-87c3-42e5-9676-8dd355838b78?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.0/classes/controllers/class.main.php#L271"}, {"url": "https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.0/classes/models/class.directory.php#L138"}], "descriptions": [{"lang": "en", "value": "The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the 'generate_user_filepath' function and the 'move_temp_file_to_upload_dir' function in all versions up to, and including, 5.1.0. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). The vulnerability is only exploitable if a file upload field is added to the form and the \u201cSaving inquiry data in database\u201d option is enabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-02T05:28:07.910Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4347", "state": "PUBLISHED", "dateUpdated": "2026-04-03T13:56:04.174Z", "dateReserved": "2026-03-17T16:39:37.224Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-02T05:28:07.910Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the 'generate_user_filepath' function and the 'move_temp_file_to_upload_dir' function in all versions up to, and including, 5.1.0. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). The vulnerability is only exploitable if a file upload field is added to the form and the \u201cSaving inquiry data in database\u201d option is enabled."}], "id": "CVE-2026-4347", "lastModified": "2026-04-03T16:10:52.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-02T06:16:23.297", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.0/classes/controllers/class.main.php#L271"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.0/classes/models/class.directory.php#L138"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/194ee4a0-87c3-42e5-9676-8dd355838b78?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "MW WP Form", "source": "cna", "vendor": "inc2734"}, "product": "mw_wp_form", "vendor": "inc2734"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-02T09:23:33.001985+00:00", "value": {"mitigation_remediation": ["Upgrade the MW WP Form plugin to the latest available version (at least 5.1.1).", "If an update cannot be applied immediately, disable the form\u2019s file\u2011upload capability or turn off the 'Saving inquiry data in database' setting to prevent the vulnerable logic from executing."], "summary": {"action": "Patch immediately", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "Vendors and products affected are inc2734:MW WP Form plugin for WordPress. All versions up to and including 5.1.0 are vulnerable.", "description_and_impact": "The MW WP Form plugin for WordPress is vulnerable to an arbitrary file move flaw caused by insufficient path validation in the 'generate_user_filepath' and 'move_temp_file_to_upload_dir' functions. This flaw permits an unauthenticated attacker to relocate any file on the server if the form includes a file\u2011upload field and the 'Saving inquiry data in database' option is enabled. By moving critical files such as wp-config.php, an attacker could achieve remote code execution or compromise the site\u2019s configuration.", "risk_and_exploitability": "The vulnerability carries a high severity CVSS score of 8.1. Exploit probability data is not available, and the issue is not listed in the CISA KEV catalog. The attack requires no authentication and relies on the presence of a file\u2011upload field and a certain form configuration. Given the high CVSS and the potential for remote code execution, the risk is significant for any WordPress site running the affected plugin."}}}}, "created": "2026-04-02T20:15:44.514736+00:00", "updated": "2026-04-02T20:22:20.088069+00:00", "vendors": ["inc2734", "inc2734$PRODUCT$mw_wp_form", "wordpress", "wordpress$PRODUCT$wordpress"]}