Summary (TL;DR): A critical vulnerability in the MW WP Form plugin for WordPress, affecting over 200,000 sites, allows unauthenticated attackers to upload and execute malicious files. Users are urged to update to version 5.0.2 immediately, as this high-risk flaw, rated 9.8 out of 10, can compromise websites and does not require special permissions for exploitation.
A critical security vulnerability has been identified in the MW WP Form plugin for WordPress, affecting versions 5.0.1 and earlier, potentially impacting over 200,000 installations. This flaw, as detailed by Wordfence security researchers, allows unauthenticated attackers to upload arbitrary files, including malicious PHP backdoors, to a WordPress site.
The vulnerability specifically lies in the plugin's file upload feature, which is used for data collection through a shortcode. Despite having a check for unexpected file types, this check fails to function properly, allowing dangerous file types to be uploaded and executed on the server. This issue poses a significant risk as it enables remote code execution, potentially compromising the website and its visitors.
The severity of this vulnerability, rated 9.8 out of 10, hinges on the "Saving inquiry data in database" option being enabled in the form settings. This critical threat can be mitigated by updating the MW WP Form plugin to the latest version, 5.0.2, which contains a patch for this vulnerability. Wordfence strongly recommends users with the vulnerable plugin version, especially those with the data-saving option enabled, to update immediately to protect their websites from potential exploitation. This update is crucial as the vulnerability does not require any special permissions, making it easily exploitable by any unauthenticated user.
Switch to Safety: Discover 3 Secure and User-Friendly Form Plugin Alternatives for WordPress
Common Ninja’s Form Builder
If you're seeking a secure and user-friendly alternative to the recently compromised MW WP Form plugin, consider Common Ninja’s Form Builder.
This robust plugin stands out for its enhanced security features, ensuring your WordPress site remains protected against vulnerabilities like unauthorized file uploads. Common Ninja prioritizes safety with regular security updates and stringent data protection protocols, offering peace of mind for both website owners and users.
Additionally, its intuitive interface makes form creation a breeze, even for those with minimal technical expertise. With a wide range of customizable templates and easy integration options, Common Ninja Form Builder not only enhances your website's security but also improves the overall user experience. Its versatility in creating various forms, from simple contact forms to complex surveys, coupled with reliable security, makes it an excellent choice for any WordPress site looking to upgrade its form functionality.
Contact Form by WPForms
WPForms Lite is a user-friendly WordPress plugin designed for creating powerful and responsive forms with ease. It features a drag-and-drop form builder, allowing users to quickly create contact forms, feedback forms, subscription forms, and more. This plugin is known for its simplicity and mobile-ready design, making it ideal for beginners and professionals alike. It also integrates seamlessly with various platforms and offers instant notification features to keep you connected with your audience.
Contact Form 7
Contact Form 7 is one of the most popular and enduring WordPress plugins for creating and managing multiple contact forms. It supports Ajax-powered submitting, CAPTCHA, and Akismet spam filtering to ensure secure and efficient form submissions. The plugin is highly customizable and allows users to flexibly design their forms with simple markup. It's a great choice for those who need a straightforward, reliable solution for handling contact forms on their WordPress site.
