MW WP Form < 5.1.1 – Unauthenticated Arbitrary File Move via move_temp_file_to_upload_dir | CVE 2026-4347 | Plugin Vulnerabilities

Description

The plugin is vulnerable to arbitrary file moving due to insufficient file path validation via the 'generate_user_filepath' function and the 'move_temp_file_to_upload_dir' function. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). The vulnerability is only exploitable if a file upload field is added to the form and the “Saving inquiry data in database” option is enabled.

Affects Plugins

Fixed in 5.1.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/194ee4a0-87c3-42e5-9676-8dd355838b78

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

ISMAILSHADOW

Verified

No

WPVDB ID

7c1ced51-ef20-44a3-9746-3b6729130bb0

Timeline

Publicly Published

2026-04-01 (about 1 month ago)

Added

2026-04-01 (about 1 month ago)

Last Updated

2026-04-01 (about 1 month ago)

Other

Published

Title

Published

2015-03-03

Title

Authentic Theme - Arbitrary File Download

Published

2015-07-18

Title

wptf-image-gallery 1.0.3 - Remote File Download

Published

2016-07-10

Title

Ultimate Member < 1.3.65 - Local File Inclusion

Published

2021-07-22

Title

WooCommerce Currency Switcher < 1.3.7 - Authenticated (Low Privilege) Local File Inclusion

Published

2016-07-13

Title

Easy Forms for MailChimp < 6.1 - Local File Inclusion (LFI)