Arbitrary File Move/Read Vulnerability in MW WP Form Plugin for WordPress
CVE-2026-5436

8.1HIGH

Key Information:

Vendor: WordPress
Status: Mw WP Form
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-5436?

The MW WP Form plugin for WordPress features a vulnerability that allows attackers to manipulate files on the server. This stems from inadequate validation of the $name parameter from the file upload field in the generate_user_file_dirpath() function. An attacker can inject a key via the mwf_upload_files[] POST parameter, enabling unwanted file movement within the server. Particularly concerning is that if sensitive files like wp-config.php are targeted, it may lead to unauthorized remote code execution. This issue arises specifically when a file upload field is included in the form and the option to save inquiry data in the database is enabled.

Affected Version(s)

MW WP Form 0 <= 5.1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/mw-wp-form/tag...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 2, 2026

Credit

Sander Horsman

CVE-2026-5436 Data

JSON