In a recent discovery, the MW WP Form plugin, known for its user-friendly form-building capabilities, was found to have a severe flaw that put over 200,000 active installations at risk. This vulnerability, identified as an unauthenticated arbitrary file upload vulnerability, allowed attackers to infiltrate and execute malicious code on a website’s server.
The vulnerability was brought to light by Wordfence’s Threat Intelligence team, who initiated the responsible disclosure process on November 24, 2023. The flaw stemmed from insufficient file type validation in the plugin’s ‘_single_file_upload’ function, enabling attackers to upload arbitrary files, including PHP files, to the affected site’s server. What made this vulnerability particularly dangerous was the fact that it required no authentication, making it accessible to any remote attacker.
Designated as CVE-2023-6316, the vulnerability received a critical CVSS score of 9.8. This rating reflects the ease of exploitation and the potential damage it could cause, including unauthorized access, data theft, and complete site compromise. The flaw allowed attackers to upload arbitrary PHP files and execute them on the server, thereby achieving remote code execution.
The developers of the MW WP Form plugin, the Web-Soudan Team, responded promptly to the discovery. They released a patch on November 29, 2023, just five days after the responsible disclosure. This rapid response was crucial in mitigating the threat and protecting vulnerable websites.
The patched version of MW WP Form, version 5.0.2, specifically addresses the critical CVE-2023-6316 flaw. Users of the plugin are strongly urged to update to this latest version immediately to safeguard their websites against potential attacks. By updating to the patched version, website owners can ensure that their forms remain secure and that malicious actors cannot exploit this vulnerability to compromise their servers.
Wordfence’s Threat Intelligence team explained the technical details behind the vulnerability, stating, “Unfortunately, although the file type check function works perfectly and returns false for dangerous file types, it throws a runtime exception in the try block if a disallowed file type is uploaded, which will be caught and handled by the catch block. The catch block only uses the error_log() function to log the error without interrupting the upload. This means that even if the dangerous file type is checked and detected, it is only logged, while the function continues to run and the file is uploaded.”
The responsible disclosure process ensured that the developers were made aware of the vulnerability and were given an opportunity to address it before the details were made public. This approach allows for collaboration between security researchers and developers, enabling timely patches to be released and minimizing the impact on end-users.
Website security is an ongoing concern, and this incident serves as a reminder for website owners to remain vigilant and keep their plugins and software up to date. Regularly updating plugins to the latest versions ensures that any security vulnerabilities are patched, reducing the risk of exploitation by attackers.
The MW WP Form plugin’s developers have demonstrated their commitment to security by promptly addressing the vulnerability and releasing a patch. Users of the plugin can now update to the latest version with confidence, knowing that their websites are protected against potential attacks.
By staying informed about security vulnerabilities and taking proactive measures to protect websites, website owners can safeguard their online presence and provide a secure experience for their users.
