Security researchers at Wordfence detailed a critical security flaw in the MW WP Form plugin, affecting versions 5.0.1 and earlier. The vulnerability allows unauthenticated threat actors to exploit the plugin by uploading arbitrary files, including potentially malicious PHP backdoors, with the ability to execute these files on the server.
The MW WP Form plugin helps to simplify form creation on WordPress websites using a shortcode builder.
It makes it easy for users to create and customize forms with various fields and options.
The plugin has many features, including one that allows file uploads using the [mwform_file name=”file”] shortcode for the purpose of data collection. It is this specific feature that is exploitable in this vulnerability.
An Unauthenticated Arbitrary File Upload Vulnerability is a security issue that allows hackers to upload potentially harmful files to a website. Unauthenticated means that the attacker does not need to be registered with the website or need any kind of permission level that comes with a user permission level.
These kinds of vulnerabilities can lead to remote code execution, where the uploaded files are executed on the server, with the potential to allow the attackers to exploit the website and site visitors.
The Wordfence advisory noted that the plugin has a check for unexpected filetypes but that it doesn’t function as it should.
According to the security researchers:
“Unfortunately, although the file type check function works perfectly and returns false for dangerous file types, it throws a runtime exception in the try block if a disallowed file type is uploaded, which will be caught and handled by the catch block.
…even if the dangerous file type is checked and detected, it is only logged, while the function continues to run and the file is uploaded.
This means that attackers could upload arbitrary PHP files and then access those files to trigger their execution on the server, achieving remote code execution.”
The severity of this threat depends on the requirement that the “Saving inquiry data in database” option in the form settings is required to be enabled in order for this security gap to be exploited.
The security advisory notes that the vulnerability is rated critical with a score of 9.8 out of 10.
Wordfence strongly advises users of the MW WP Form plugin to update their versions of the plugin.
The vulnerability is patched in the lutes version of the plugin, version 5.0.2.
The severity of the threat is particularly critical for users who have enabled the “Saving inquiry data in database” option in the form settings and that is compounded by the fact that no permission levels are needed to execute this attack.
Read the Wordfence advisory:
Featured Image by Shutterstock/Alexander_P