CVE-2026-5436: MW WP Form Path Traversal Vulnerability

CVE-2026-5436 Overview

CVE-2026-5436 is an arbitrary file move and read vulnerability in the MW WP Form plugin for WordPress, affecting all versions up to and including 5.1.1. The flaw stems from insufficient validation of the $name parameter passed to the generate_user_file_dirpath() function. WordPress's path_join() returns absolute paths unchanged, allowing an attacker-supplied absolute path to override the intended base directory. Unauthenticated attackers can move arbitrary files on the server, including wp-config.php, into the uploads folder. Moving sensitive configuration files often leads to remote code execution or full site compromise. Exploitation requires a form with a file upload field and the "Saving inquiry data in database" option enabled.

Critical Impact
Unauthenticated attackers can move arbitrary files such as wp-config.php to web-accessible locations, exposing database credentials and enabling remote code execution.

Affected Products

MW WP Form plugin for WordPress (all versions ≤ 5.1.1)
WordPress installations with the plugin active and a file upload form field
Sites with the "Saving inquiry data in database" option enabled

Discovery Timeline

2026-04-08 - CVE-2026-5436 published to NVD
2026-04-24 - Last updated in NVD database

Technical Details for CVE-2026-5436

Vulnerability Analysis

The vulnerability resides in the form processing logic of MW WP Form. The plugin loads attacker-controlled keys from the mwf_upload_files[] POST parameter into its Data model via _set_request_valiables(). During processing, regenerate_upload_file_keys() iterates these keys and calls generate_user_filepath() with the attacker-supplied key as the $name argument.

The key passes validation because the targeted file genuinely exists at the absolute path provided. The _get_attachments() method then re-reads the same keys and forwards the resolved file path to move_temp_file_to_upload_dir(), which invokes rename() to move the file into the uploads directory. This grants unauthenticated attackers arbitrary file relocation across the server filesystem.

Root Cause

The root cause is improper path handling [CWE-22] in generate_user_file_dirpath(). The function relies on WordPress's path_join(), which returns absolute paths unchanged and discards the intended base directory. When an attacker supplies an absolute path such as /var/www/html/wp-config.php, the joined path resolves to the attacker-controlled location rather than within the plugin's sandboxed upload directory.

Attack Vector

An unauthenticated attacker submits a crafted form request to a vulnerable MW WP Form instance. The attacker injects an absolute path into the mwf_upload_files[] POST parameter, targeting a sensitive file such as wp-config.php. The plugin validates that the file exists, then calls rename() to move it into the public uploads folder. Once wp-config.php is readable via HTTP, database credentials, authentication keys, and salts are exposed, enabling full site takeover.

php

// Vulnerable flow (pre-patch) in classes/models/class.data.php
foreach ( $upload_file_keys as $key => $upload_file_key ) {
    $upload_filename = $this->get_post_value_by_key( $upload_file_key );
    $form_id         = MWF_Functions::get_form_id_from_form_key( $this->get_form_key() );
    $filepath        = MW_WP_Form_Directory::generate_user_filepath( $form_id, $upload_file_key, $upload_filename );
    if ( ! $upload_filename || ! file_exists( $filepath ) ) {
        unset( $upload_file_keys[ $key ] );
        $this->set( $upload_file_key, '' );
    }
}

// Patched version wraps generate_user_filepath() in try/catch and rejects invalid paths
try {
    $filepath = MW_WP_Form_Directory::generate_user_filepath( $form_id, $upload_file_key, $upload_filename );
} catch ( \Exception $e ) {
    error_log( $e->getMessage() );
    unset( $upload_file_keys[ $key ] );
    $this->set( $upload_file_key, '' );
    continue;
}
if ( ! $upload_filename || ! $filepath || ! file_exists( $filepath ) ) {
    unset( $upload_file_keys[ $key ] );
    $this->set( $upload_file_key, '' );
}

Source: MW WP Form Security Patch Commit

Detection Methods for CVE-2026-5436

Indicators of Compromise

Unexpected presence of wp-config.php or other system files inside the WordPress uploads directory.
POST requests to MW WP Form endpoints containing mwf_upload_files[] parameters with absolute filesystem paths.
Missing or relocated sensitive WordPress files following form submissions.
New PHP files appearing in uploads directories shortly after MW WP Form interactions.

Detection Strategies

Inspect web server access logs for POST requests to MW WP Form processing URLs containing path-like values in mwf_upload_files[].
Monitor file integrity for wp-config.php, .htaccess, and other critical WordPress files.
Audit installed MW WP Form plugin versions across all WordPress instances to identify versions ≤ 5.1.1.
Review PHP error_log entries for rename() failures and file path anomalies in plugin code.

Monitoring Recommendations

Enable file integrity monitoring on the WordPress root and wp-content/uploads/ directories.
Alert on creation of .php files within upload subdirectories.
Track WAF telemetry for suspicious POST parameters containing absolute paths (/var/, /etc/, C:\).
Correlate form submission events with filesystem changes using a centralized logging pipeline.

How to Mitigate CVE-2026-5436

Immediate Actions Required

Update the MW WP Form plugin to the version released in changeset 3501261 or later.
If immediate patching is not possible, deactivate the MW WP Form plugin until updated.
Disable the "Saving inquiry data in database" option on all forms using file upload fields.
Audit the uploads directory for misplaced sensitive files and rotate credentials if wp-config.php was exposed.

Patch Information

The vendor fixed the vulnerability in the upstream commit f872ab18ca670f5867b2241745daa30cd0fab861. The patch wraps calls to generate_user_filepath() in a try/catch block and adds validation that rejects empty or invalid $filepath values before passing them to file_exists() and rename(). Refer to the Wordfence Vulnerability Report for additional details.

Workarounds

Remove all file upload fields from MW WP Form configurations until the plugin is updated.
Disable the database inquiry-saving option to break the exploitation prerequisite.
Restrict access to form submission endpoints using WAF rules that block absolute paths in POST parameters.
Apply filesystem permissions that prevent the web server user from reading wp-config.php outside its expected location.

bash

# Block requests containing absolute path traversal in mwf_upload_files[] (ModSecurity example)
SecRule ARGS_NAMES "@rx ^mwf_upload_files\[" \
    "chain,id:1026543601,phase:2,deny,log,msg:'CVE-2026-5436 MW WP Form path injection attempt'"
    SecRule ARGS "@rx ^(/|[A-Za-z]:\\\\)" "t:none"

# Verify plugin version via WP-CLI
wp plugin get mw-wp-form --field=version

CVE-2026-5436 Overview

Critical Impact
Unauthenticated attackers can move arbitrary files such as wp-config.php to web-accessible locations, exposing database credentials and enabling remote code execution.

Affected Products

MW WP Form plugin for WordPress (all versions ≤ 5.1.1)
WordPress installations with the plugin active and a file upload form field
Sites with the "Saving inquiry data in database" option enabled

Discovery Timeline

2026-04-08 - CVE-2026-5436 published to NVD
2026-04-24 - Last updated in NVD database

Technical Details for CVE-2026-5436

Vulnerability Analysis

Root Cause

Attack Vector

php

// Vulnerable flow (pre-patch) in classes/models/class.data.php
foreach ( $upload_file_keys as $key => $upload_file_key ) {
    $upload_filename = $this->get_post_value_by_key( $upload_file_key );
    $form_id         = MWF_Functions::get_form_id_from_form_key( $this->get_form_key() );
    $filepath        = MW_WP_Form_Directory::generate_user_filepath( $form_id, $upload_file_key, $upload_filename );
    if ( ! $upload_filename || ! file_exists( $filepath ) ) {
        unset( $upload_file_keys[ $key ] );
        $this->set( $upload_file_key, '' );
    }
}

// Patched version wraps generate_user_filepath() in try/catch and rejects invalid paths
try {
    $filepath = MW_WP_Form_Directory::generate_user_filepath( $form_id, $upload_file_key, $upload_filename );
} catch ( \Exception $e ) {
    error_log( $e->getMessage() );
    unset( $upload_file_keys[ $key ] );
    $this->set( $upload_file_key, '' );
    continue;
}
if ( ! $upload_filename || ! $filepath || ! file_exists( $filepath ) ) {
    unset( $upload_file_keys[ $key ] );
    $this->set( $upload_file_key, '' );
}

Source: MW WP Form Security Patch Commit

Detection Methods for CVE-2026-5436

Indicators of Compromise

Unexpected presence of wp-config.php or other system files inside the WordPress uploads directory.
POST requests to MW WP Form endpoints containing mwf_upload_files[] parameters with absolute filesystem paths.
Missing or relocated sensitive WordPress files following form submissions.
New PHP files appearing in uploads directories shortly after MW WP Form interactions.

Detection Strategies

Inspect web server access logs for POST requests to MW WP Form processing URLs containing path-like values in mwf_upload_files[].
Monitor file integrity for wp-config.php, .htaccess, and other critical WordPress files.
Audit installed MW WP Form plugin versions across all WordPress instances to identify versions ≤ 5.1.1.
Review PHP error_log entries for rename() failures and file path anomalies in plugin code.

Monitoring Recommendations

Enable file integrity monitoring on the WordPress root and wp-content/uploads/ directories.
Alert on creation of .php files within upload subdirectories.
Track WAF telemetry for suspicious POST parameters containing absolute paths (/var/, /etc/, C:\).
Correlate form submission events with filesystem changes using a centralized logging pipeline.

How to Mitigate CVE-2026-5436

Immediate Actions Required

Update the MW WP Form plugin to the version released in changeset 3501261 or later.
If immediate patching is not possible, deactivate the MW WP Form plugin until updated.
Disable the "Saving inquiry data in database" option on all forms using file upload fields.
Audit the uploads directory for misplaced sensitive files and rotate credentials if wp-config.php was exposed.

Patch Information

Workarounds

Remove all file upload fields from MW WP Form configurations until the plugin is updated.
Disable the database inquiry-saving option to break the exploitation prerequisite.
Restrict access to form submission endpoints using WAF rules that block absolute paths in POST parameters.
Apply filesystem permissions that prevent the web server user from reading wp-config.php outside its expected location.

bash

# Block requests containing absolute path traversal in mwf_upload_files[] (ModSecurity example)
SecRule ARGS_NAMES "@rx ^mwf_upload_files\[" \
    "chain,id:1026543601,phase:2,deny,log,msg:'CVE-2026-5436 MW WP Form path injection attempt'"
    SecRule ARGS "@rx ^(/|[A-Za-z]:\\\\)" "t:none"

# Verify plugin version via WP-CLI
wp plugin get mw-wp-form --field=version

CVE-2026-5436: MW WP Form Path Traversal Vulnerability

CVE-2026-5436 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-5436

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-5436

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-5436

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform

CVE-2026-5436: MW WP Form Path Traversal Vulnerability

CVE-2026-5436 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-5436

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-5436

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-5436

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform