CVE-2026-5436

CVE-2026-5436 is an arbitrary file move and read vulnerability in the MW WP Form plugin for WordPress, affecting all versions up to and including 5.1.1. The issue stems from insufficient validation of the attacker-controlled $name parameter, which is the upload field key passed via the mwf_upload_files[] POST parameter. This parameter is loaded into the plugin's Data model and processed during form handling. Specifically, the generate_user_file_dirpath() function relies on WordPress's path_join(), which fails to enforce the intended base directory and preserves absolute paths. As a result, an attacker-supplied key referencing an existing file like wp-config.php survives validation and enables unauthorized file operations.

Unauthenticated attackers can exploit this vulnerability remotely by submitting a malicious form submission, provided the target form includes a file upload field and the "Saving inquiry data in database" option is enabled. During processing, functions like regenerate_upload_file_keys() and _get_attachments() use the tainted key to resolve absolute paths, passing them to move_temp_file_to_upload_dir(), which invokes rename() to relocate the file into the uploads directory. This allows attackers to move sensitive files such as wp-config.php, potentially leading to remote code execution, with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapping to CWE-22 (Path Traversal).

Mitigation details are available in referenced advisories and patches, including a GitHub commit (f872ab18ca670f5867b2241745daa30cd0fab861) that addresses the validation flaw, WordPress plugin trac changesets (e.g., 3501261), and source code locations in class.data.php and class.directory.php. Security teams should update to a patched version of the MW WP Form plugin beyond 5.1.1, as detailed in the Wordfence threat intelligence report.