Sunday, 31 August 2025
30.3 C
Singapore
30.9 C
Thailand
29.1 C
Indonesia
27.8 C
Philippines

Critical security breach in popular WordPress plugin impacts over 200,000 installations

Learn about the critical security flaw in the MW WP Form WordPress plugin affecting over 200,000 sites and how to protect your website effectively.

In a recent revelation by Wordfence, a critical security flaw has been discovered in the MW WP Form plugin, affecting versions up to 5.0.1. This vulnerability allows unauthorised individuals to upload arbitrary files, including potentially harmful PHP backdoors. These files can be executed on the server, presenting a significant security risk.

Understanding the MW WP Form plugin

The MW WP Form plugin is famous for creating forms on WordPress websites. It uses a shortcode builder, making it straightforward for users to design and customise forms with various fields and options. A key feature of this plugin is its file upload capability, facilitated by the [mwform_file name= “file”] shortcode. Unfortunately, this feature has become the focal point of the vulnerability.

The nature of the vulnerability

Termed as an Unauthenticated Arbitrary File Upload Vulnerability, this security flaw allows hackers to upload dangerous files to a website without needing registration or authorisation. Such vulnerabilities can escalate to remote code execution, where the uploaded files are executed on the server, potentially allowing attackers to compromise the website and endanger visitors.

The advisory from Wordfence pointed out a defect in the plugin’s file type check mechanism. While it can detect unsafe file types, a runtime exception allows these files to be uploaded regardless. This oversight enables attackers to upload and activate arbitrary PHP files on the server.

Conditions for a successful attack

This vulnerability poses a significant risk, particularly if the “Saving inquiry data in database” option in the plugin settings is enabled. It has been rated as critically severe, scoring 9.8 out of 10.

Wordfence strongly recommends users of the MW WP Form plugin update to the latest version, 5.0.2, where this issue has been addressed. This advice is especially pertinent for users who have activated the “Saving inquiry data in database” option, as the vulnerability does not require any special permissions to be exploited.

Users should refer to the full Wordfence advisory for comprehensive details and guidance.

Hot this week

AI Mode launches in Google Search in Singapore

Google has rolled out AI Mode in Search in Singapore, allowing users to ask complex questions using text, voice, or images.

Meta introduces new AI safeguards to protect teens from harmful conversations

Meta is strengthening AI safeguards to prevent teens from discussing self-harm and other sensitive topics with chatbots on Instagram and Facebook.

Alibaba introduces open-source model for digital human video generation

Alibaba launches open-source Wan2.2-S2V model, enabling lifelike digital human video generation from portraits and audio.

100 women in tech power Singapore’s digital future as nation marks 60 years

Singapore honours 100 women leaders and 25 young achievers in the SG100WIT 2025 list, marking growing female impact in tech.

Huawei to launch second triple-folding phone on 4 September

Huawei will unveil its second triple-folding smartphone, the Mate XTs, on 4 September ahead of a busy month of rival tech launches.

Meta introduces new AI safeguards to protect teens from harmful conversations

Meta is strengthening AI safeguards to prevent teens from discussing self-harm and other sensitive topics with chatbots on Instagram and Facebook.

ChatGPT to introduce parental controls as AI safety concerns rise

OpenAI is introducing parental controls for ChatGPT, addressing growing concerns about the safety of AI chatbots and their impact on young users.

Japan uses an AI simulation of Mount Fuji’s eruption to prepare citizens

Japan uses AI to simulate a Mount Fuji eruption, showing its potential devastation and promoting disaster preparedness.

Anthropic updates Claude chatbot policy to use chat data for AI training

Anthropic will utilise Claude chatbot conversations for AI training starting from 28 September, with opt-out options and a five-year data retention policy.

Related Articles

Popular Categories