WordPress Plugin Vulnerabilities

MW WP Form < 5.0.2 - Unauthenticated Arbitrary File Upload

Description

The plugin does not properly handle unauthorised files from being uploaded, only logging the issue without stopping the process, allowing unauthenticated users to upload arbitrary files to the server when the 'Saving inquiry data in database' settings is enabled in the plugin

Affects Plugins

Plugin icon
mw-wp-form
Fixed in 5.0.2

References

CVE
CVE-2023-6316
URL
https://www.wordfence.com/blog/2023/12/update-asap-critical-unauthenticated-arbitrary-file-upload-in-mw-wp-form-allows-malicious-code-execution/

Miscellaneous

Original Researcher
István Márton
Verified
Yes
WPVDB ID
7f584e8e-1166-43cd-8762-c76d648b3a08

Timeline

Publicly Published
2023-12-04 (about 2 years ago)
Added
2023-12-04 (about 2 years ago)
Last Updated
2023-12-04 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
Amoveo - Arbitrary File Upload
Published
2024-11-11
Title
kineticPay for WooCommerce < 3.0 - Unauthenticated Arbitrary File Upload
Published
2015-02-11
Title
EasyCart <= 3.0.15 - Unrestricted File Upload
Published
2025-07-17
Title
WooCommerce Refund And Exchange with RMA - Warranty Management, Refund Policy, Manage User Wallet < 3.2.7 - Unauthenticated Arbitrary File Upload
Published
2024-11-12
Title
WooCommerce Upload Files < 84.4 - Unauthenticated Arbitrary File Upload