Vulnerability Summary from Wordfence IntelligenceDescription: MW WP Form <= 5.0.1 – Unauthenticated Arbitrary File Upload
Affected Plugin: MW WP Form
Plugin Slug: mw-wp-form
Affected Versions: <= 5.0.1
CVE ID: CVE-2023-6316
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: István Márton
Fully Patched Version: 5.0.2
The MW WP Form plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the ‘_single_file_upload’ function in versions up to, and including, 5.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible.
Technical Analysis
The MW WP Form plugin provides a shortcode-based form builder, with many customizable fields and many useful form options. Files can also be uploaded to the form with the [mwform_file name="file"] shortcode field.
Examining the code reveals that the plugin uses the _single_file_upload() function in the MW_WP_Form_File class to file upload, and the check_file_type() function in the MWF_Functions class is used to check the file type.
[View the code snippet on the blog]
The upload function checks the file and then copies it to the server with the move_uploaded_file() function. The file is only stored on the server if the “Saving inquiry data in database” option is selected in the form settings. Otherwise the file is immediately deleted after submitting the form.
[View the code snippet on the blog]
Unfortunately, although the file type check function works perfectly and returns false for dangerous file types, it throws a runtime exception in the try block if a disallowed file type is uploaded, which will be caught and handled by the catch block. The catch block only uses the error_log() function to log the error without interrupting the upload. This means that even if the dangerous file type is checked and detected, it is only logged, while the function continues to run and the file is uploaded. This means that attackers could upload arbitrary PHP files and then access those files to trigger their execution on the server, achieving remote code execution.
We would like to draw attention once again to the fact that the vulnerability only critically affects users who have enabled the “Saving inquiry data in database” option in the form settings, because the plugin only saves the files in this configuration.
Disclosure Timeline
November 24, 2023 – Discovery of the Arbitrary File Upload vulnerability in MW WP Form.
November 24, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
November 24, 2023 – The vendor confirms the inbox for handling the discussion.
November 24, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
November 29, 2023 – A fully patched version of the plugin, 5.0.2, is released.
Conclusion
In this blog post, we detailed an Arbitrary File Upload vulnerability within the MW WP Form plugin affecting versions 5.0.1 and earlier. This vulnerability allows unauthenticated threat actors to upload arbitrary files, including PHP backdoors, and execute those files on the server. The vulnerability has been fully addressed in version 5.0.2 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of MW WP Form.
All Wordfence users, including those running Wordfence Premium , Wordfence Care , and Wordfence Response , as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
Did you know that Wordfence has a Bug Bounty Program ? We’ve recently increased our bounties by 6.25x until December 20th, 2023, with our bounties for the most critical vulnerabilities reaching $10,000 USD! If you’re an aspiring or current vulnerability researcher, click here to sign up.