Security researchers have identified a critical security flaw in the MW WP Form plugin, affecting versions 5.0.1 and earlier. This vulnerability allows unauthenticated threat actors to exploit the plugin by uploading arbitrary files, including potentially harmful PHP backdoors, which they can then execute on the server.
MW WP Form Plugin
The MW WP Form plugin simplifies form creation on WordPress websites using a shortcode builder. It comes with various features, including one for file uploads using the [mwform_file name="file"] shortcode for data collection. However, this specific feature has been found to be exploitable.
Unauthenticated Arbitrary File Upload Vulnerability
An Unauthenticated Arbitrary File Upload Vulnerability allows hackers to upload potentially dangerous files to a website without needing to register or obtain permission. Such vulnerabilities can lead to remote code execution, where the uploaded files are run on the server, potentially compromising the website and its visitors.
According to a security advisory, the plugin has a mechanism for checking unexpected file types, but it does not function correctly.
According to the security researchers:
“Unfortunately, although the file type check function works perfectly and returns false for dangerous file types, it throws a runtime exception in the try block if a disallowed file type is uploaded, which will be caught and handled by the catch block.
…even if the dangerous file type is checked and detected, it is only logged, while the function continues to run and the file is uploaded.
This means that attackers could upload arbitrary PHP files and then access those files to trigger their execution on the server, achieving remote code execution.”
Conditions for a Successful Attack
The severity of this threat depends on whether the "Saving inquiry data in database" option in the form settings is enabled. This vulnerability is rated critical, with a score of 9.8 out of 10.
Actions to Take
Users of the MW WP Form plugin are strongly advised to update to the latest version, 5.0.2, where the vulnerability has been patched. The threat is particularly severe for users who have enabled the “Saving inquiry data in database” option, as no special permissions are needed to carry out this attack.
Read the Wordfence advisory for more details:
Update ASAP! Critical Unauthenticated Arbitrary File Upload in MW WP Form Allows Malicious Code Execution
Featured Image by Shutterstock/Alexander_P
