In a recent revelation by Wordfence, a critical security flaw has been discovered in the MW WP Form plugin, affecting versions up to 5.0.1. This vulnerability allows unauthorised individuals to upload arbitrary files, including potentially harmful PHP backdoors. These files can be executed on the server, presenting a significant security risk.
Understanding the MW WP Form plugin
The MW WP Form plugin is famous for creating forms on WordPress websites. It uses a shortcode builder, making it straightforward for users to design and customise forms with various fields and options. A key feature of this plugin is its file upload capability, facilitated by the [mwform_file name= “file”] shortcode. Unfortunately, this feature has become the focal point of the vulnerability.
The nature of the vulnerability
Termed as an Unauthenticated Arbitrary File Upload Vulnerability, this security flaw allows hackers to upload dangerous files to a website without needing registration or authorisation. Such vulnerabilities can escalate to remote code execution, where the uploaded files are executed on the server, potentially allowing attackers to compromise the website and endanger visitors.
The advisory from Wordfence pointed out a defect in the plugin's file type check mechanism. While it can detect unsafe file types, a runtime exception allows these files to be uploaded regardless. This oversight enables attackers to upload and activate arbitrary PHP files on the server.
Conditions for a successful attack
This vulnerability poses a significant risk, particularly if the “Saving inquiry data in database” option in the plugin settings is enabled. It has been rated as critically severe, scoring 9.8 out of 10.
Recommended actions for users
Wordfence strongly recommends users of the MW WP Form plugin update to the latest version, 5.0.2, where this issue has been addressed. This advice is especially pertinent for users who have activated the “Saving inquiry data in database” option, as the vulnerability does not require any special permissions to be exploited.
Users should refer to the full Wordfence advisory for comprehensive details and guidance.