CVE-2026-5436: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in inc2734 MW WP Form
The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to and including 5.1.1. This is due to insufficient validation of the $name parameter (upload field key) passed to the generate_user_file_dirpath() function, which uses WordPress's path_join() — a function that returns absolute paths unchanged, discarding the intended base directory. The attacker-controlled key is injected via the mwf_upload_files[] POST parameter, which is loaded into the plugin's Data model via _set_request_valiables(). During form processing, regenerate_upload_file_keys() iterates over these keys and calls generate_user_filepath() with the attacker-supplied key as the $name argument — the key survives validation because the targeted file (e.g., wp-config.php) genuinely exists at the absolute path. The _get_attachments() method then re-reads the same surviving keys and passes the resolved file path to move_temp_file_to_upload_dir(), which calls rename() to move the file into the uploads folder. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). The vulnerability is only exploitable if a file upload field is added to the form and the “Saving inquiry data in database” option is enabled.
AI Analysis
Technical Summary
The MW WP Form plugin improperly limits pathname access due to insufficient validation of the $name parameter used in generate_user_file_dirpath(). The plugin uses WordPress's path_join() function, which returns absolute paths unchanged, allowing attacker-controlled keys passed via mwf_upload_files[] POST parameters to specify arbitrary absolute file paths. During form processing, these keys survive validation if the targeted file exists, enabling the plugin to move arbitrary files on the server into the uploads directory via rename(). This vulnerability can be exploited without authentication if a file upload field is present and inquiry data saving is enabled, potentially leading to remote code execution.
Potential Impact
An unauthenticated attacker can move arbitrary files on the server, including sensitive files such as wp-config.php, into the uploads directory. This can facilitate remote code execution, compromising the affected WordPress site. The vulnerability affects all versions of MW WP Form up to and including 5.1.1. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid enabling file upload fields in forms or disable the 'Saving inquiry data in database' option to prevent exploitation.
CVE-2026-5436: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in inc2734 MW WP Form
Description
The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to and including 5.1.1. This is due to insufficient validation of the $name parameter (upload field key) passed to the generate_user_file_dirpath() function, which uses WordPress's path_join() — a function that returns absolute paths unchanged, discarding the intended base directory. The attacker-controlled key is injected via the mwf_upload_files[] POST parameter, which is loaded into the plugin's Data model via _set_request_valiables(). During form processing, regenerate_upload_file_keys() iterates over these keys and calls generate_user_filepath() with the attacker-supplied key as the $name argument — the key survives validation because the targeted file (e.g., wp-config.php) genuinely exists at the absolute path. The _get_attachments() method then re-reads the same surviving keys and passes the resolved file path to move_temp_file_to_upload_dir(), which calls rename() to move the file into the uploads folder. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). The vulnerability is only exploitable if a file upload field is added to the form and the “Saving inquiry data in database” option is enabled.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The MW WP Form plugin improperly limits pathname access due to insufficient validation of the $name parameter used in generate_user_file_dirpath(). The plugin uses WordPress's path_join() function, which returns absolute paths unchanged, allowing attacker-controlled keys passed via mwf_upload_files[] POST parameters to specify arbitrary absolute file paths. During form processing, these keys survive validation if the targeted file exists, enabling the plugin to move arbitrary files on the server into the uploads directory via rename(). This vulnerability can be exploited without authentication if a file upload field is present and inquiry data saving is enabled, potentially leading to remote code execution.
Potential Impact
An unauthenticated attacker can move arbitrary files on the server, including sensitive files such as wp-config.php, into the uploads directory. This can facilitate remote code execution, compromising the affected WordPress site. The vulnerability affects all versions of MW WP Form up to and including 5.1.1. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid enabling file upload fields in forms or disable the 'Saving inquiry data in database' option to prevent exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-02T17:45:46.532Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d6bfa81cc7ad14dab01ac4
Added to database: 4/8/2026, 8:50:48 PM
Last enriched: 4/16/2026, 11:59:44 AM
Last updated: 5/23/2026, 6:17:16 PM
Views: 78
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.