WordPress plugin "MW WP Form" vulnerable to arbitrary file upload


WordPress plugin "MW WP Form" provided by Web Consultation Office Co., Ltd can create a mail form using shortcode. MW WP Form contains a vulnerability that may allow an attacker to upload arbitrary files (CVE-2023-6316, CWE-434).
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 9.8 (Critical) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products

Web Consultation Office Co., Ltd
  • MW WP Form 5.0.1 and earlier


When the "Saving inquiry data in database" option in the form settings is enabled, an attacker may execute arbitrary code on the server by uploading an arbitrary file.

[Update the plugin]
Update the plugin according to the information provided by the developer.
The developer has released the following version that addresses this vulnerability.

* MW WP Form 5.0.2 or later
Vendor Information

Web Consultation Office Co., Ltd
CWE (What is CWE?)

  1. Unrestricted Upload of File with Dangerous Type(CWE-434) [Other]
CVE (What is CVE?)

  1. CVE-2023-6316

  1. JVN : JVNVU#97876221
  2. National Vulnerability Database (NVD) : CVE-2023-6316
  3. Related Information : Update ASAP! Critical Unauthenticated Arbitrary File Upload in MW WP Form Allows Malicious Code Execution
Revision History

  • [2023/12/15]
      Web page was published
  • [2024/03/26]
      References : Content was added