Sunday, 15 June 2025
34 C
Singapore
32.7 C
Thailand
24.5 C
Indonesia
29.8 C
Philippines

Critical security breach in popular WordPress plugin impacts over 200,000 installations

Learn about the critical security flaw in the MW WP Form WordPress plugin affecting over 200,000 sites and how to protect your website effectively.

In a recent revelation by Wordfence, a critical security flaw has been discovered in the MW WP Form plugin, affecting versions up to 5.0.1. This vulnerability allows unauthorised individuals to upload arbitrary files, including potentially harmful PHP backdoors. These files can be executed on the server, presenting a significant security risk.

Understanding the MW WP Form plugin

The MW WP Form plugin is famous for creating forms on WordPress websites. It uses a shortcode builder, making it straightforward for users to design and customise forms with various fields and options. A key feature of this plugin is its file upload capability, facilitated by the [mwform_file name= “file”] shortcode. Unfortunately, this feature has become the focal point of the vulnerability.

The nature of the vulnerability

Termed as an Unauthenticated Arbitrary File Upload Vulnerability, this security flaw allows hackers to upload dangerous files to a website without needing registration or authorisation. Such vulnerabilities can escalate to remote code execution, where the uploaded files are executed on the server, potentially allowing attackers to compromise the website and endanger visitors.

The advisory from Wordfence pointed out a defect in the plugin’s file type check mechanism. While it can detect unsafe file types, a runtime exception allows these files to be uploaded regardless. This oversight enables attackers to upload and activate arbitrary PHP files on the server.

Conditions for a successful attack

This vulnerability poses a significant risk, particularly if the “Saving inquiry data in database” option in the plugin settings is enabled. It has been rated as critically severe, scoring 9.8 out of 10.

Wordfence strongly recommends users of the MW WP Form plugin update to the latest version, 5.0.2, where this issue has been addressed. This advice is especially pertinent for users who have activated the “Saving inquiry data in database” option, as the vulnerability does not require any special permissions to be exploited.

Users should refer to the full Wordfence advisory for comprehensive details and guidance.

Hot this week

New Relic adds Model Context Protocol support to improve AI observability

New Relic adds MCP support to its AI Monitoring tool, enabling deeper visibility across AI agents, protocols, and backend systems.

Commvault strengthens data protection with post-quantum cryptography capabilities

Commvault expands post-quantum cryptography support with HQC to protect long-term data from future quantum computing threats.

Xbox enters handheld gaming with ROG Ally, taking aim at Steam Deck—not Switch 2

Xbox’s ROG Ally handheld targets Steam Deck with new software and powerful specs, and it will launch this autumn to shake up PC gaming.

Meta in talks to invest over US$10 billion in Scale AI

Meta may invest over US$10B in Scale AI, marking one of the biggest private AI funding deals and Meta’s largest external AI investment ever.

Redmagic 10S Pro launches in Singapore with faster gaming performance and exclusive offers

Redmagic 10S Pro lands in Singapore with overclocked performance, S$270 early bird deals, and a free cooling fan for a limited time.

Hong Kong opens skies to larger drones in bid to grow low-altitude economy

Hong Kong will allow the testing of larger drones to boost its low-altitude economy and improve logistics, following mainland China's lead.

Hong Kong to build new AI supercomputing centre in bid to lead global tech race

Hong Kong plans a new AI supercomputing centre to boost its tech hub status and support growing start-ups across the Greater Bay Area.

Steam adds full native support for Apple Silicon Macs

Steam runs natively on Apple Silicon Macs, ditching Rosetta 2 for smoother performance and better gaming on M1 and M2 devices.

Amazon taps nuclear power to boost AWS cloud energy supply

Amazon signs a 1.92 GW nuclear energy deal with Talen to power AWS cloud and explore new small modular reactors in Pennsylvania.

Related Articles

Popular Categories