CVE-2026-4347

High

Published: 02 April 2026

Published

02 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the 'generate_user_filepath' function and the 'move_temp_file_to_upload_dir' function in all versions up to, and including, 5.1.0. This makes it possible for…

unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). The vulnerability is only exploitable if a file upload field is added to the form and the “Saving inquiry data in database” option is enabled.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly counters the insufficient file path validation in generate_user_filepath and move_temp_file_to_upload_dir functions, preventing path traversal and arbitrary file moves.

SI-2 Flaw Remediation good match

prevent

Remediates the specific flaw in MW WP Form plugin versions up to 5.1.0 through timely patching or updates to eliminate the vulnerability.

CM-7 Least Functionality good match

prevent

Mitigates exploitation by enforcing least functionality, such as disabling file upload fields and the 'Saving inquiry data in database' option when not essential.

Security SummaryAI

CVE-2026-4347 is a vulnerability in the MW WP Form plugin for WordPress, affecting all versions up to and including 5.1.0. It arises from insufficient file path validation in the 'generate_user_filepath' function and the 'move_temp_file_to_upload_dir' function, enabling arbitrary file moving on the server. This issue, classified under CWE-22 (Path Traversal), carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-02.

Unauthenticated attackers can exploit the vulnerability under specific conditions: a file upload field must be present in the form, and the “Saving inquiry data in database” option must be enabled. Successful exploitation allows attackers to move arbitrary files on the server, which can readily result in remote code execution—for instance, by relocating critical files like wp-config.php.

Advisories point to the vulnerable code in the plugin's Main.php (line 271) and Directory.php (line 138) files, as detailed in the WordPress plugin trac repository. Additional analysis is available via Wordfence's threat intelligence page, which provides further vulnerability specifics.

Details

CWE(s): CWE-22

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

The path traversal vulnerability in a public-facing WordPress plugin directly enables initial access via exploitation of a web application (T1190) and facilitates remote code execution by allowing arbitrary file moves to deploy web shells (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.0/classes/controllers/class.main.php#L271
security@wordfence.com
https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.0/classes/models/class.directory.php#L138
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/194ee4a0-87c3-42e5-9676-8dd355838b78?source=cve
security@wordfence.com