CVE-2026-5436 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: April 8, 2026
MW WP Form - Path Traversal
Published: April 8, 2026Updated: April 8, 2026Remote Exploitable
Overview
MW WP Form plugin for WordPress <= 5.1.1 contains an arbitrary file move/read vulnerability caused by insufficient validation of the $name parameter in generate_user_file_dirpath(), letting unauthenticated attackers move arbitrary files on the server, exploit requires a file upload field in the form and enabled saving inquiry data in database option.
Severity & Score
Severity: High
CVSS Score: 8.1
Impact
Unauthenticated attackers can move arbitrary files, potentially leading to remote code execution and full server compromise.
Mitigation
Update to the latest version of MW WP Form plugin.
References
- https://plugins.trac.wordpress.org/changeset/3501261/mw-wp-form
- https://www.wordfence.com/threat-intel/vulnerabilities/id/bc308993-7fc5-41db-a396-f05e95fe47b8?source=cve
- https://github.com/web-soudan/mw-wp-form/commit/f872ab18ca670f5867b2241745daa30cd0fab861
- https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.1/classes/models/class.data.php#L591
- https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.1/classes/models/class.directory.php#L138
Related Resources
Details
- CVE ID
- CVE-2026-5436
- Severity
- High
- CVSS Score
- 8.1
- Type
- path_traversal
- Status
- unconfirmed
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H