200,000 WordPress Sites Affected by Arbitrary File Move Vulnerability in MW WP Form WordPress Plugin

On March 16th, 2026, we received a submission for an Arbitrary File Move vulnerability in MW WP Form, a WordPress plugin with more than 200,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to move arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible. This vulnerability can only be exploited if the “Saving inquiry data in database” option in the form settings is enabled.

Props to ISMAILSHADOW who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $3,105.00 for this discovery.

Click here to continue reading this article.

István Márton

Author archive

April 2, 2026

Plugins, Research, Vulnerabilities, WordPress Blogs, WordPress Plugin Vulnerability News April 2026, WordPress Security, WordPress Security News April 2026

Comments are closed.

Up ↑

Your WordPress News Dashboard

200,000 WordPress Sites Affected by Arbitrary File Move Vulnerability in MW WP Form WordPress Plugin

István Márton

Latest posts

Text widget

Sponsored by WP Mayor

Latest posts

Built with WP RSS Aggregator