Addressing Critical Software Vulnerabilities: A Continuous Effort for WordPress Site Security

WordPress administrators urgently need to update the popular MW WP Form plugin after researchers discovered a critical vulnerability that could allow hackers to execute malicious code on vulnerable sites remotely. Versions 5.0.1 and earlier of the form creation plugin are affected by the vulnerability that security firm Wordfence rated with a perfect 10 out of 10 severity score due to its ability to compromise sites without any authentication required.

The MW WP Form plugin helps users easily create and customize forms for their sites using a drag-and-drop interface and shortcode builder. One of its key features is the ability to upload files through forms to collect submissions. However, researchers found that while the plugin checks submitted file types, it fails to block dangerous file types from being uploaded. Even if a submission is flagged as an unsafe file type like PHP, the code continues to execute and allows the file to be saved anyway.

This critical flaw leaves over 200,000 active plugin installations exposed to attacks where hackers could craft malicious PHP payloads and have them automatically executed on the server simply by submitting them through a form. As the vulnerability does not require any logins, attackers can gain complete control over vulnerable sites remotely. Wordfence urges all administrators using the at-risk versions of the MW WP Form to update immediately.

What Happened with the MW WP Form Plugin Attack?

To understand the severity of this vulnerability and why it poses such a serious risk, it’s important to examine the technical details:

  • The vulnerability lies in the plugin’s ability to upload files through forms using the [mwform_file] shortcode. While file type checking is implemented, it does not block restricted types from being saved.
  • Even when an unsafe file type like PHP is identified, the code throws an exception in the try/catch block but still allows the file upload to continue rather than blocking it.
  • With no authentication, an attacker could craft a malformed PHP file that executes remote code when accessed on the server. They would submit it through a vulnerable site’s form.
  • The form’s “Save submissions to database” setting must be enabled for the attack to work. However, over 15% of observed sites had this active, increasing the number of targets.
  • Once code is executed, the attacker has complete remote control over the server, allowing things like installing web shells or other malicious payloads.

The plugin’s author has since resolved the issue in version 5.0.2. But with no automatic updates, over a quarter of observed sites remained unpatched weeks after disclosure. This prolonged exposure period gives hackers a large window of opportunity to exploit vulnerable installations actively.

Tips to Defend Against the Attack

WordPress users can take the following immediate actions to strengthen their defenses against this exploit:

  • Update the MW WP Form to version 5.0.2 or later through the WordPress updater. This patch resolves the vulnerability (WordPress 6.4.1 or higher).
  • Review and verify all plugin and theme versions are up to date to eliminate other potential entry points. Outdated software is often the easiest for hackers to attack.
  • Implement a strong .htaccess file to block direct access to PHP and other interpretable files for additional protection.
  • Consider disabling the file upload feature entirely if it’s not required to reduce attack surfaces.
  • Monitor websites closely for any unusual or unexplained files that could indicate a compromise has already occurred.
  • Stay updated on the latest advisories through a reputable security notification service to respond quickly to future issues.

While the number of active vulnerable sites has likely fallen as updates propagate, the prolonged exposure window means this critical vulnerability remains an ongoing risk that opportunistic or automated exploits may still try to take advantage of over time. Admins must prioritize patching any use of the at-risk MW WP Form plugin to close the critical security hole. Doing so helps prevent websites from being hacked and users’ data from being stolen or used for malicious purposes without consent. Staying proactive about patching remains one of the best defenses as long as severe vulnerabilities like this remain.

Amelie Lamb

Amelie Lamb

Amelie Lamb is an experienced technical content writer at who specializes in distilling complex software topics into clear, concise explanations. She has a talent for taking dense technical jargon and making it engaging and understandable for readers through her informative, lively writing style.

Table of Contents