Critical vulnerability in the MW WP Form plugin allows attackers to move sensitive files

In early April 2026, the WordPress security community identified a concerning vulnerability in the MW WP Form plugin, a contact form tool used by thousands of WordPress websites worldwide. What makes this vulnerability especially dangerous is not only its high severity score (8.1/10), but also the fact that an attacker does not need to log in or have any privileges to carry out the attack.

This article will explain what the vulnerability is, how it works, what consequences it could have for your website, and most importantly, what you should do to protect your site.

Vulnerability overviewLink to heading

Information	Details
Vulnerability ID	CVE-2026-4347
Affected Plugin	MW WP Form
Affected Versions	All versions ≤ 5.1.0
Published Date	April 2, 2026
Severity	HIGH - 8.1/10 (CVSS v3.1)
Vulnerability Type	Path Traversal (CWE-22)
Authentication Required?	No
Special Privileges Required?	No
User Interaction Required?	No

What is MW WP Form?Link to heading

What is MW WP Form?

MW WP Form is a WordPress plugin that lets users create contact forms, registration forms, or file upload forms without coding knowledge. It is popular because it offers:

A simple drag-and-drop interface that is easy to use even for non-technical users.
Support for file uploads such as PDFs, images, and documents.
An option to save all submitted data to the database for later review.
Good compatibility with most popular WordPress themes.

These useful features, especially file upload and database storage, are exactly where the vulnerability lies.

How does the vulnerability work?Link to heading

This vulnerability belongs to the Path Traversal (CWE-22) category, an attack that occurs when a web application does not properly sanitize user-controlled path strings before using them in file system operations.

In MW WP Form, the problem lies in two file-handling functions in the upload flow:

generate_user_filepath - the function responsible for building the destination path for uploaded files
move_temp_file_to_upload_dir - the function that moves a file from a temporary directory to its destination

Both functions accept user input but do not perform sufficient validation to remove dangerous path traversal sequences such as ../ (parent directory traversal). This allows an attacker to inject arbitrary path strings into the input parameter, escape the intended upload directory, and point to any location on the filesystem that the web server process can access.

A simplified example of a possible payload:

filename = "../../wp-config.php"

When the plugin processes this string without normalizing and validating the path, the system will move the target file (in this case, wp-config.php) out of its original location and place it into a directory chosen by the attacker, including publicly accessible directories under the web root.

Notably, this is an arbitrary file move vulnerability, not a typical arbitrary file upload or arbitrary file read issue. The attacker does not upload a malicious file to the server; instead, they exploit sensitive files that already exist on the system. This makes many common defenses, such as checking file upload extensions, completely ineffective against this attack vector.

Conditions required for exploitationLink to heading

The only positive aspect of this issue is that it does not automatically affect every website using MW WP Form. It can only be exploited when both of the following conditions are met:

Your form includes at least one field that allows users to upload a file.
The “Saving inquiry data in database” option is enabled, meaning form submissions are stored in the WordPress database.

If your website only has a simple contact form without file uploads, or if file uploads are enabled but database saving is turned off, the direct risk from this vulnerability is lower. However, reviewing and updating the plugin is still something you should do immediately.

Possible consequencesLink to heading

Possible consequences of CVE-2026-4347 exploitation W7SFW

Scenario 1: A website that receives job applicationsLink to heading

You manage a company website with a careers page. The form includes a CV upload field (PDF/Word), and you enable database saving so HR can review submissions later. An attacker submits a specially crafted form, causing the plugin to move wp-config.php into a public directory on the website.

wp-config.php is the heart of every WordPress website and contains:

The site’s database details, including name, password, and host
Secret security keys used to encrypt login sessions
The database table prefix, which helps attackers craft more precise queries
Debug settings and other system configuration values

If this file is exposed, an attacker can connect directly to the database and read or delete all data, including customer information, orders, and user accounts.

Scenario 2: E-commerce websiteLink to heading

You run an online store with a customer support form that allows users to attach images of defective products. The database stores communication history. Through the vulnerability, an attacker moves a malicious PHP file into a directory that can be executed through the browser. This opens the door to Remote Code Execution.

With Remote Code Execution, an attacker can:

Install a permanent backdoor on the website, allowing them to return at any time even after you change the password.
Redirect all traffic to a phishing website.
Use your server to attack other websites, making you both a victim and an attacker at the same time.
Inject malware into website content and infect visitors’ computers.

Scenario 3: Professional service website Link to heading

You have a consultation form that allows customers to attach documents. Through the vulnerability, the attacker does not cause obvious disruption but quietly moves log files or configuration files to collect internal email addresses, system structure, and technical information. This information is then used to carry out highly convincing, targeted phishing campaigns against your employees or customers.

Step-by-step response guide Link to heading

Step-by-step response guide

Step 1: Determine whether your website is affectedLink to heading

Log in to WordPress and go to Plugins → Installed Plugins.
Find “MW WP Form” in the list.
Check the version number shown under the plugin name.
If it is 5.1.0 or lower, your site is in the affected range.
Then check each form in use to see whether it has a file upload field and whether “Saving inquiry data in database” is enabled.

Step 2: Apply emergency measures while waiting for the patchLink to heading

If you cannot update right away:

Option A (Recommended): Disable “Saving inquiry data in database” in the settings of all active forms. This removes one of the two exploitation conditions without affecting form functionality.
Option B: Temporarily disable or remove the file upload field from the form if it is not truly needed right now.
Option C (If you are unsure): Temporarily deactivate the entire plugin until a patch is available. The forms will stop working, but this is the safest choice when no clear workaround is available.

Step 3: Update the plugin as soon as a patch is released Link to heading

Follow the official MW WP Form page on WordPress.org. When an update is announced:

Back up the entire website before updating, including files and the database.
Update the plugin.
Check the website again after the update to make sure everything works normally.

Step 4: Check for signs of compromiseLink to heading

Even if you only just discovered the vulnerability, that does not mean no one has already exploited it. Check the following:

Check important files:

Confirm that wp-config.php is still in the correct location (the website root) and does not appear in other directories.
Check the wp-content/uploads directory for suspicious PHP files (PHP files should not appear in uploads).
Compare the file list with your most recent backup, if available.

Step 4: Check for signs of compromise

Check access logs:

If your hosting account has cPanel or a similar control panel, review the Access Logs from the past 30 days.
Look for unusual requests to pages with upload forms, especially requests containing ../ or suspicious paths in parameters.

Check admin accounts:

Go to WordPress → Users and look for any unfamiliar admin accounts.
Check notification emails, since WordPress usually sends an email when a new admin account is created.

Check website content:

Use tools like Google Search Console to see whether any unexpected pages have appeared.
Search your website name on Google to check whether suspicious links have been injected.

Step 5: Strengthen long-term securityLink to heading

This is a good opportunity to build a stronger security foundation for your website:

For plugins and themes:

Remove all unused plugins; each old plugin is a potential attack surface.
Avoid themes or plugins from unofficial sources (cracked or nulled), as these are among the most common infection vectors.
Enable automatic updates for important plugins or schedule weekly update checks.

User Accounts:

Enable two-factor authentication (2FA) for all accounts with Editor-level permissions and above. This is a simple yet highly effective security measure.
Remove any unnecessary accounts, especially those belonging to former employees or collaborators.
Apply proper role-based access control: no one should have administrator privileges if their tasks only require Editor or Author roles.

Passwords:

Admin and database passwords should be at least 16 characters long, including uppercase letters, lowercase letters, numbers, and special characters.
Use a password manager instead of relying on easy-to-remember passwords.
Backups:
Set up automated daily or weekly backups and store them off-server (e.g., Google Drive, Dropbox, or a dedicated backup service).
Regularly test whether backups can actually be restored (an untestable backup is effectively useless).

Step 5: Strengthen long-term security

Firewall:

Consider deploying a Web Application Firewall (WAF) for WordPress. A WAF can block malicious requests before they reach your website, providing protection even when vulnerable plugins have not yet been patched. This is especially critical in the window between vulnerability disclosure and the release of an official fix.

If you don’t have a strong technical background or prefer not to configure complex security rules, a solution like W7SFW can be a practical choice. It operates as an external WordPress firewall, automatically analyzing incoming requests, detecting abnormal behaviors such as path traversal or suspicious file operations, and blocking threats in real time.

With a pre-built protection mechanism optimized specifically for WordPress, W7SFW helps reduce risks from unpatched vulnerabilities like CVE-2026-4347. Activate W7SFW now!

ConclusionLink to heading

From CVE-2026-4347, it’s clear that even a small flaw in input validation can open the door to serious security breaches across an entire WordPress system. Effective protection goes beyond patching, it requires a proactive defense strategy, including regular updates, strict access control, and the use of appropriate security tools like W7SFW.

Acting early today is the best way to prevent costly damage in the future.