CVE-2026-4347 is a path traversal vulnerability classified under CWE-22 affecting the MW WP Form plugin for WordPress, versions up to and including 5.1.0. The vulnerability arises from insufficient validation of file paths in the 'generate_user_filepath' and 'move_temp_file_to_upload_dir' functions. This flaw allows unauthenticated attackers to manipulate file paths to move arbitrary files on the server. The attack vector requires that a file upload field be present in the form and that the plugin's 'Saving inquiry data in database' feature is enabled, conditions that enable the attacker to leverage the vulnerability. By moving sensitive files such as wp-config.php, attackers can potentially achieve remote code execution, compromising the server's confidentiality, integrity, and availability. The vulnerability is remotely exploitable without authentication or user interaction, but the complexity is rated high due to the need for specific plugin configuration. Although no exploits are currently known in the wild, the severity and ease of remote exploitation make this a critical concern for affected WordPress sites. The vulnerability was reserved on March 17, 2026, and published on April 2, 2026, with a CVSS v3.1 score of 8.1, reflecting high impact and network attack vector with no privileges or user interaction required.

The impact of CVE-2026-4347 is significant for organizations running WordPress sites with the MW WP Form plugin up to version 5.1.0, especially those that have enabled file upload fields and database inquiry saving. Successful exploitation can lead to unauthorized file manipulation, including moving critical configuration files like wp-config.php, which can enable remote code execution. This compromises the confidentiality of sensitive data, the integrity of the website and server, and the availability of services. Attackers gaining remote code execution can deploy malware, deface websites, steal data, or use the compromised server as a pivot point for further attacks. Given WordPress's widespread use globally, this vulnerability could affect a large number of websites, including those of small businesses, enterprises, and government entities. The lack of authentication requirement and remote exploitability increase the risk of automated attacks and widespread exploitation if left unmitigated.

To mitigate CVE-2026-4347, organizations should immediately audit their WordPress installations for the MW WP Form plugin version and configuration. If the plugin is at or below version 5.1.0 and uses file upload fields with the 'Saving inquiry data in database' option enabled, disable the file upload fields or the database saving feature until a patch or update is available. Restrict file permissions on the server to limit the ability of the web server process to move or modify critical files such as wp-config.php. Implement web application firewall (WAF) rules to detect and block suspicious path traversal attempts targeting the vulnerable functions. Monitor logs for unusual file movement or access patterns. Regularly update the MW WP Form plugin once a vendor patch is released. Additionally, consider isolating the WordPress environment using containerization or sandboxing to limit the impact of potential exploitation. Conduct penetration testing focused on file upload and path traversal vectors to validate the effectiveness of mitigations.