MW WP Form is a popular WordPress contact form plugin with over 200,000 active installations. Versions up to and including 5.1.0 have a path traversal vulnerability (CVE-2026-4347, CVSS 8.1 High) that allows unauthenticated attackers to move arbitrary files on the server. The worst case scenario: an attacker moves your wp-config.php out of the web root, triggering the WordPress installation wizard and gaining full control of your website.
What the vulnerability does
The plugin’s temporary file handling system builds directory paths using form field names. When you submit a form with a file upload, the plugin constructs a path like this:
wp-content/uploads/mw-wp-form_uploads/{token}/{form_id}/{field_name}/The problem is in generate_user_file_dirpath() in class.directory.php. The $name parameter (the form field name, which is attacker-controlled) gets passed straight into path_join() with no sanitisation:
public static function generate_user_file_dirpath( $form_id, $name ) {
$user_dir = static::generate_user_dirpath( $form_id );
$user_file_dir = path_join( $user_dir, $name );
return $user_file_dir;
}If a field name contains path traversal sequences, the resulting path escapes the upload directory entirely. Combined with the rename() call in move_temp_file_to_upload_dir(), an attacker can relocate any file that the server process has access to (if the filesystem permissions are writeable).
There is a traversal check in the sibling function generate_user_filepath(), which looks for ../ substrings. But it only applies to file path construction, not directory path construction. Code that calls generate_user_file_dirpath() directly bypasses the check completely. Even where the check does apply, it uses simple string matching rather than proper realpath() canonicalisation, making it fragile.
The attack requires specific conditions
Two conditions need to be met for the vulnerability to be exploited: the form must include a file upload field, and “Saving inquiry data in database” must be enabled for that form. Without both of those, the vulnerable code path is never reached.
The attack itself is a two-step process. First, the attacker submits a legitimate file upload through the form’s confirm step. Then they submit the complete step with manipulated POST data containing crafted path traversal sequences in the field name. The plugin stores POST values in the session between steps without validation, so the manipulated values flow into the file move operation.
A familiar pattern
This is the third significant file handling vulnerability in MW WP Form. CVE-2023-6316 (CVSS 9.8) was an arbitrary file upload in December 2023. CVE-2023-6559 (CVSS 7.5) was an arbitrary file deletion in January 2024. Each previous fix targeted the specific exploit discovered rather than addressing the root cause. Proper path canonicalisation using realpath() with a base directory prefix check would close all of these vectors at once, but the plugin continues to rely on fragile string matching.
How to check if you are affected
Look for “MW WP Form” in your WordPress plugins list. If the version is 5.1.0 or lower, check whether any of your forms have file upload fields with database saving enabled.
Via WP-CLI:
# Look for the main-wp-form plugin wp plugin list --name=mw-wp-form --fields=name,version,status
Update now
As with most of these, the fix is simple. Update to the latest version immediately, then test the plugin (your contact forms) still function as you expect.
If you manage multiple WordPress sites, automated vulnerability monitoring picks up disclosures like this as they happen, so you can act before attackers do.