Introduction
The MW WP Form plugin helps WordPress site owners build custom forms. It supports file uploads, data storage, and email delivery. Over 10,000 active sites use this plugin. It is a popular choice for complex form workflows. But a serious security flaw now puts those sites at risk. The MW WP Form arbitrary file move vulnerability lets attackers move critical files on your server. This can lead to a full site takeover.
Security researcher Rinson W. discovered the flaw. He reported it through the Wordfence bug bounty program. The vulnerability carries a CVSS score of 8.1. That makes it a HIGH severity issue. It affects all plugin versions up to 5.1.0. The developers released a fix in version 5.1.1 on April 2, 2026. We now have a complete patch available.
This vulnerability allows unauthenticated attackers to move files. They do not need a user account. They do not need any special permissions. The flaw exists in two core functions of the plugin. These functions handle file paths during form submissions. The validation for those paths is incomplete. This creates a dangerous gap in security.
In this post, we break down how CVE-2026-4347 works. We explain the technical details in plain terms. We also show you how to protect your site. You need to understand this threat to defend against it. Let us walk through everything you should know.
Technical Details
The vulnerability lives in two functions inside the plugin. The first function is generate_user_filepath(). It creates a file path based on user input. The second function is move_temp_file_to_upload_dir(). It moves a temporary file to its final location. Neither function validates the file path properly. This allows an attacker to inject directory traversal sequences.
The plugin stores uploaded files in a temporary location first. Then move_temp_file_to_upload_dir() relocates them. It uses the path from generate_user_filepath() to decide where. An attacker can manipulate this path with ../ sequences. These sequences let them move a file to any directory on the server. The check for valid paths is weak and easy to bypass. The plugin does not canonicalize the path before using it.
Here is how the attack works step by step. First, the attacker submits a form with a file upload field. They craft the filename or field data to include path traversal strings. The generate_user_filepath() function processes this input. It passes the manipulated path to the move function. The move_temp_file_to_upload_dir() function then executes the file move. It does not verify the destination path is safe. Therefore, the attacker controls exactly where the file goes.
Two conditions must exist for the exploit to work. First, the form must include a file upload field. Second, the site must enable the “Saving inquiry data in database” option. This option stores form submissions in the WordPress database. Many sites enable it for record keeping. Without these conditions, the vulnerability is not exploitable. But many sites meet both requirements. For example, any standard contact form with a file attachment is vulnerable.
The plugin lacks proper path canonicalization. It does not resolve ../ sequences before moving files. It also does not check if the destination stays within the uploads directory. Standard security practices recommend strict path validation. The plugin should reject any path with traversal sequences. It should also restrict moves to a safe base directory. Version 5.1.1 adds these checks and prevents abuse.
You can review the complete source code on the MW WP Form plugin page. The WordPress plugin trac also shows all recent changes. The diff between 5.1.0 and 5.1.1 reveals the added path checks. The fix is simple but critical for security. It uses WordPress core functions for path validation instead of custom logic.
What Happens When Exploited
An attacker can move wp-config.php to a web-accessible folder. This file contains your database credentials and secret keys. It also holds authentication salts and table prefixes. Once the attacker moves it, they can read it from the browser. This exposes your entire WordPress installation. The attacker then has your database login details. They can access any data stored in your database.
Remote code execution is also possible. An attacker can move a malicious PHP file into the uploads directory. Or they can overwrite an existing plugin file with their own code. This gives them full control over your WordPress site. They can inject backdoors, steal user data, or deface your pages. The damage depends only on their intent. Some attackers install crypto miners or spam redirects. Others steal customer information for fraud.
The exploit path is straightforward for skilled attackers. They need no authentication to trigger the file move. They only need to find a form with an upload field. Automated scanners already search for this vulnerability. The CVE-2026-4347 entry on CVE.org has more details. We recommend all site owners review that reference. It includes proof-of-concept code and technical analysis.
Affected Versions
All versions of MW WP Form up to and including 5.1.0 are vulnerable. The development team released version 5.1.1 on April 2, 2026. This version fixes the path validation issue. We strongly recommend updating immediately. Do not wait for a scheduled maintenance window. Apply the update as soon as possible.
You can check your plugin version in the WordPress admin dashboard. Go to Plugins and find MW WP Form. The version number appears under the plugin name. If you see 5.1.0 or lower, you are at risk. Update to 5.1.1 or newer right away. The fix is backward compatible and should not break your forms. Your existing forms will continue to work normally.
Version 5.1.1 also includes other improvements. The developers added better error handling for file uploads. They improved the logging for failed file operations. These changes make the plugin more reliable overall. We still recommend testing the update on a staging site first. This is a best practice for any WordPress update. But the security benefit outweighs the risk for most users.
How to Protect Yourself
The first step is to update the plugin to version 5.1.1. This is the only guaranteed fix for the vulnerability. You can update from your WordPress admin dashboard. Go to Dashboard > Updates. Look for MW WP Form in the list. Click the update button next to it. The process takes only a few seconds. After that, the vulnerability is patched.
Second, check if any of your forms include a file upload field. Go to MW WP Form in your admin menu. Review each form template. Look for the File Upload field type. If you use upload fields, the vulnerability applies to your site. The update still protects you. But you should verify the settings are correct. You might also reconsider whether you need file uploads.
Third, review the “Saving inquiry data in database” option. This setting is under MW WP Form settings. An exploit requires this option to be active. If you do not need database storage, disable it. This adds an extra layer of protection. It also reduces your attack surface. Consider your workflow needs before changing this. The plugin still sends email notifications without this option.
Fourth, apply general WordPress hardening measures. Keep all plugins and themes updated. Use strong passwords for all user accounts. Enable automatic updates for security patches. Monitor your site for unexpected file changes. A security plugin can help with these tasks. These practices reduce the risk from many vulnerabilities. They also protect against zero-day threats.
Finally, audit your site regularly for vulnerable plugins. You do not need to check everything manually. A good security scanner can do this for you. It alerts you when plugins need updates. It also flags known vulnerabilities like CVE-2026-4347. Read our guide on WordPress security hardening for more tips. It covers other important protections for your site.
Do It All With One Plugin
Managing WordPress security takes time and effort. You can simplify this with the right tools. Trusti Security offers a Known Vulnerabilities Scanner. This feature checks your plugins against a live database of CVEs. It alerts you when a plugin has a known flaw. The Pro version runs automatic scans on a schedule. This catches issues like CVE-2026-4347 before attackers exploit them. You get notified immediately when a new vulnerability affects your site.
Trusti Security is a comprehensive WordPress security plugin. It includes 2FA, brute force protection, and login URL masking. You also get security headers, a core integrity scanner, and an admin activity log. The Pro version adds real-time alerts and emergency access recovery. You can manage everything from a single dashboard. This makes security simpler and more effective.
The Bottom Line
CVE-2026-4347 is a serious threat for MW WP Form users. The arbitrary file move vulnerability has a CVSS score of 8.1. It allows unauthenticated attackers to take over your site. The fix in version 5.1.1 is simple to apply. But you must act quickly to stay safe. Attackers are already scanning for vulnerable sites.
Update your plugin today. Review your form settings. Enable automatic updates if possible. Use a security plugin to monitor for threats. These steps will protect your WordPress site from this vulnerability. Do not wait until it is too late. The update takes only a few minutes and it is free.