WordPress Plugin Vulnerabilities

MW WP Form < 5.0.4 - Improper Limitation of File Name to Unauthenticated Arbitrary File Deletion

Description

The MW WP Form plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 5.0.3. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.

Affects Plugins

Plugin icon
mw-wp-form
Fixed in 5.0.4

References

CVE
CVE-2023-6559
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/412d555c-9bbd-42f5-8020-ccfc18755a79

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Thomas Sanzey
Verified
No
WPVDB ID
36fe6757-c1a5-46ed-8451-4323c17c30a9

Timeline

Publicly Published
2023-12-15 (about 2 years ago)
Added
2023-12-19 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2024-11-08
Title
WooCommerce Support Ticket System < 17.8 - Authenticated (Subscriber+) Arbitrary File Deletion
Published
2026-02-09
Title
Upload Files Anywhere <= 2.8 - Unauthenticated Arbitrary File Deletion
Published
2015-03-13
Title
IP Blacklist Cloud < 3.43 - Admin+ Arbitrary File Disclosure
Published
2024-06-06
Title
Qi Addons For Elementor < 1.7.3 - Authenticated (Contributor+) Local File Inclusion
Published
2025-08-19
Title
Redirection for Contact Form 7 < 3.2.5 - Unauthenticated Arbitrary File Deletion