Security researchers at Wordfence detailed a critical security flaw in the MW WP Form plugin, affecting versions 5.0.1 and earlier. The vulnerability allows unauthenticated threat actors to exploit the plugin by uploading arbitrary files, including potentially malicious PHP backdoors, with the ability to execute these files on the server.
MW WP Form Plugin
The MW WP Form plugin helps to simplify form creation on WordPress websites using a shortcode builder.
It makes it easy for users to create and customize forms with various fields and options.
The plugin has many features, including one that allows file uploads using the [mwform_file name=”file”] shortcode for the purpose of data collection. It is this specific feature that is exploitable in this vulnerability.
Unauthenticated Arbitrary File Upload Vulnerability
An Unauthenticated Arbitrary File Upload Vulnerability is a security issue that allows hackers to upload potentially harmful files to a website. Unauthenticated means that the attacker does not need to be registered with the website or need any kind of permission level that comes with a user permission level.
These kinds of vulnerabilities can lead to remote code execution, where the uploaded files are executed on the server, with the potential to allow the attackers to exploit the website and site visitors.
The Wordfence advisory noted that the plugin has a check for unexpected filetypes but that it doesn’t function as it should.
According to the security researchers:
“Unfortunately, although the file type check function works perfectly and returns false for dangerous file types, it throws a runtime exception in the try block if a disallowed file type is uploaded, which will be caught and handled by the catch block.