MW WP Form Plugin for WordPress Arbitrary File Moving Vulnerability

A vulnerability exists in the MW WP Form plugin for WordPress, allowing for arbitrary file moving on the server. This issue arises from inadequate file path validation in the 'generate_user_filepath' and 'move_temp_file_to_upload_dir' functions, affecting all versions up to and including 5.1.0. The vulnerability can be exploited by unauthenticated attackers to move files, potentially leading to remote code execution if sensitive files like wp-config.php are targeted. Exploitation requires a file upload field in the form and the 'Saving inquiry data in database' option enabled.

Impact

Successful exploitation allows unauthenticated users to move arbitrary files on the server, with the potential to execute remote code if certain files are moved to accessible locations.

Reproduction

To reproduce this vulnerability, create a form using the MW WP Form plugin version 5.1.0 or earlier. Add a file upload field to the form and enable the 'Saving inquiry data in database' option. Once the form is published, an unauthenticated user can upload a file through the file upload field. The uploaded file will be temporarily stored in a directory. After the file is uploaded, the vulnerability can be exploited by sending a request that includes the file name and specifies a new location, such as the directory where WordPress stores uploaded files. The 'move_temp_file_to_upload_dir' function will be called, moving the file to the specified location. This can be done by manipulating the form submission to include the uploaded file's path and the desired destination path, taking advantage of the insufficient validation to traverse directories and move files arbitrarily.

Remediation

Users are advised to update the MW WP Form plugin to version 5.1.1 or later.