Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total4
Critical1
High3
Medium0
Reset
Showing 1-4 of 4 records
Threat Entry Updated 2026-04-08

CVE-2026-5436 - Mw Wp Form Plugin

The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to and including 5.1.1. This is due to insufficient validation of the $name parameter (upload field key) passed to the generate_user_file_dirpath() function, which uses WordPress's path_join() — a function that returns absolute paths unchanged, discarding the intended base directory. The attacker-controlled key is injected via the mwf_upload_files[] POST parameter, which is loaded into the plugin's Data model via _set_request_valiables(). During form processing, regenerate_upload_file_keys() iterates over these keys and calls generate_user_filepath() with the attacker-supplied…

PLUGIN Mw Wp Form

CVE-2026-5436

HIGH CVSS 8.1 2026-04-08
Open Full Technical Breakdown
Threat Entry Updated 2026-04-03

CVE-2026-4347 - Mw Wp Form Plugin

The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the 'generate_user_filepath' function and the 'move_temp_file_to_upload_dir' function in all versions up to, and including, 5.1.0. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). The vulnerability is only exploitable if a file upload field is added to the form and the “Saving inquiry data in database” option is…

PLUGIN Mw Wp Form

CVE-2026-4347

HIGH CVSS 8.1 2026-04-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6316 - Mw Wp Form Plugin

The MW WP Form plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the '_single_file_upload' function in versions up to, and including, 5.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Mw Wp Form

CVE-2023-6316

CRITICAL CVSS 9.8 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6559 - Mw Wp Form Plugin

The MW WP Form plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 5.0.3. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.

PLUGIN Mw Wp Form

CVE-2023-6559

HIGH CVSS 7.5 2023-12-16
Open Full Technical Breakdown
Scroll to top