A serious security vulnerability discovered in the popular MW WP Form plugin has put more than 200,000 WordPress websites at risk. The flaw could allow attackers to take full control of affected websites under certain conditions.
The issue was reported through the bug bounty program run by Wordfence and has been assigned a high severity rating with CVE ID CVE-2026-4347. ISMAILSHADOW earned a bounty of $3,105 for reporting this vulnerability.
The vulnerability allows unauthenticated attackers to move arbitrary files on a server. This means an attacker does not need to log in to exploit it. An attacker can even move important files like wp-config.php. If the file is moved or removed, the website can break and enter setup mode. At that point, an attacker can take control by connecting the site to a database under their control. This can lead to a full site takeover or even remote code execution.
The vulnerability is not active in all setups. The risk exists when the “Saving inquiry data in database” option is turned on, and the form allows file uploads. In this setup, uploaded files are stored on the server and processed in a way that does not properly validate file paths. This is where the issue happens.
The problem lies in how the plugin handles file paths. The plugin tries to validate file paths to prevent misuse. However, it only checks relative paths and fails to properly handle absolute paths. Because of this, attackers can provide specially crafted inputs to target files outside the intended directory. The file is then moved using a server function. This allows attackers to move or effectively delete important system files.
The plugin developer, Monkey Wrench Inc., responded quickly after being notified. A patched version, 5.1.1, was released on March 26, 2026.
From the description, it is clear that it is a high-risk vulnerability. Any public-facing form with the affected configuration could be targeted. Website owners should take this seriously and act quickly. They must update the MW WP Form plugin to version 5.1.1 or later without delay.
It is also advisable to keep all plugins, themes, and WordPress core updated. You should always install a reliable security plugin and enable firewall protection.
Techlomedia Internet offers WordPress development, security audits, and hardening services. If you want to secure your website, fix vulnerabilities, or build a safer WordPress setup, you can get in touch with Techlomedia Internet for professional support.
