MW WP Form Plugin Flaw (CVE-2023-6316): Attackers Can Take Control of Your Website

The MW WP Form plugin, renowned for its intuitive form-building capabilities, has harbored a severe flaw. With over 200,000 active installations, this vulnerability posed a silent but deadly threat. Identified as an unauthenticated arbitrary file upload vulnerability, it allows attackers to infiltrate and execute malicious code on a website’s server. The vulnerability was discovered by Wordfence’s Threat Intelligence team, who initiated the responsible disclosure process on November 24, 2023.

CVE-2023-6316

The vulnerability stems from insufficient file type validation in the plugin’s ‘_single_file_upload’ function. This oversight enables attackers to upload arbitrary files, including PHP files, to the affected site’s server. The flaw is particularly menacing as it requires no authentication, allowing any remote attacker to exploit it.

Designated as CVE-2023-6316, the vulnerability received a CVSS score of 9.8, categorizing it as critical. This rating reflects the ease of exploitation and the potential damage it could inflict, including unauthorized access, data theft, and complete site compromise.

“Unfortunately, although the file type check function works perfectly and returns false for dangerous file types, it throws a runtime exception in the try block if a disallowed file type is uploaded, which will be caught and handled by the catch block. The catch block only uses the error_log() function to log the error without interrupting the upload. This means that even if the dangerous file type is checked and detected, it is only logged, while the function continues to run and the file is uploaded. This means that attackers could upload arbitrary PHP files and then access those files to trigger their execution on the server, achieving remote code execution,” the researcher wrote.

The plugin’s developers, the Web-Soudan Team, responded promptly, releasing a patch on November 29, 2023. This rapid response was crucial in mitigating the threat.

The patched version of MW WP Form, version 5.0.2, addresses the critical CVE-2023-6316 flaw. Users of the plugin are urged to update to this latest version immediately to safeguard their websites against potential attacks.