Tuesday, 1 July 2025
28.1 C
Singapore
27.4 C
Thailand
19.9 C
Indonesia
27.7 C
Philippines

Critical security breach in popular WordPress plugin impacts over 200,000 installations

Learn about the critical security flaw in the MW WP Form WordPress plugin affecting over 200,000 sites and how to protect your website effectively.

In a recent revelation by Wordfence, a critical security flaw has been discovered in the MW WP Form plugin, affecting versions up to 5.0.1. This vulnerability allows unauthorised individuals to upload arbitrary files, including potentially harmful PHP backdoors. These files can be executed on the server, presenting a significant security risk.

Understanding the MW WP Form plugin

The MW WP Form plugin is famous for creating forms on WordPress websites. It uses a shortcode builder, making it straightforward for users to design and customise forms with various fields and options. A key feature of this plugin is its file upload capability, facilitated by the [mwform_file name= “file”] shortcode. Unfortunately, this feature has become the focal point of the vulnerability.

The nature of the vulnerability

Termed as an Unauthenticated Arbitrary File Upload Vulnerability, this security flaw allows hackers to upload dangerous files to a website without needing registration or authorisation. Such vulnerabilities can escalate to remote code execution, where the uploaded files are executed on the server, potentially allowing attackers to compromise the website and endanger visitors.

The advisory from Wordfence pointed out a defect in the plugin’s file type check mechanism. While it can detect unsafe file types, a runtime exception allows these files to be uploaded regardless. This oversight enables attackers to upload and activate arbitrary PHP files on the server.

Conditions for a successful attack

This vulnerability poses a significant risk, particularly if the “Saving inquiry data in database” option in the plugin settings is enabled. It has been rated as critically severe, scoring 9.8 out of 10.

Wordfence strongly recommends users of the MW WP Form plugin update to the latest version, 5.0.2, where this issue has been addressed. This advice is especially pertinent for users who have activated the “Saving inquiry data in database” option, as the vulnerability does not require any special permissions to be exploited.

Users should refer to the full Wordfence advisory for comprehensive details and guidance.

Hot this week

Moneythor launches AI Suite to help banks deliver deeper customer experiences

Moneythor unveils AI Suite to help banks deliver personalised, app-like customer experiences and improve digital engagement.

HPE introduces GreenLake Intelligence to simplify hybrid cloud operations

HPE launches GreenLake Intelligence to simplify hybrid IT using AI agents across cloud, storage, networking and sustainability systems.

Apple’s next-generation CarPlay sparks division among carmakers

Apple’s new CarPlay Ultra creates mixed reactions among carmakers, with some embracing it and others hesitant to give up dashboard control.

Garmin launches quatix 8 smartwatch for mariners in Singapore

Garmin introduces quatix 8 in Singapore, a rugged smartwatch for mariners with marine tools, AMOLED display, and long battery life.

GameSir launches G7 Pro controller with tri-mode connectivity and pro-grade features

GameSir launches the G7 Pro controller with tri-mode connectivity, anti-drift TMR sticks, and customisable controls for Xbox, PC, and Android.

Spotify lets you personalise your Discover Weekly playlist like never before

Spotify now lets you personalise Discover Weekly with genre filters, such as pop and R&B, helping you better shape your weekly playlist.

Hundreds of Brother printers have a serious flaw you can’t entirely fix

Hundreds of Brother printers have a flaw that lets hackers guess your admin password and one critical issue can't be fixed with updates.

Dubai gears up for air taxi revolution

Joby delivers its first air taxi to Dubai, moving closer to a 2026 launch and signalling real progress in the future of flying taxis.

Anker recalls five more power banks over fire risk concerns

Anker is recalling five more power banks due to fire risks and urges users to stop using them immediately and seek a free replacement or gift card.

Related Articles

Popular Categories