CVE-2026-4347
Published: 02 April 2026
Summary
CVE-2026-4347 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-4347 is a vulnerability in the MW WP Form plugin for WordPress, affecting all versions up to and including 5.1.0. It arises from insufficient file path validation in the 'generate_user_filepath' function and the 'move_temp_file_to_upload_dir' function, enabling arbitrary file moving on the server. This issue, classified under CWE-22 (Path Traversal), carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-02.
Unauthenticated attackers can exploit the vulnerability under specific conditions: a file upload field must be present in the form, and the “Saving inquiry data in database” option must be enabled. Successful exploitation allows attackers to move arbitrary files on the server, which can readily result in remote code execution—for instance, by relocating critical files like wp-config.php.
Advisories point to the vulnerable code in the plugin's Main.php (line 271) and Directory.php (line 138) files, as detailed in the WordPress plugin trac repository. Additional analysis is available via Wordfence's threat intelligence page, which provides further vulnerability specifics.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18124
Vulnerability details
The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the 'generate_user_filepath' function and the 'move_temp_file_to_upload_dir' function in all versions up to, and including, 5.1.0. This makes it possible for…
more
unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). The vulnerability is only exploitable if a file upload field is added to the form and the “Saving inquiry data in database” option is enabled.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The path traversal vulnerability in a public-facing WordPress plugin directly enables initial access via exploitation of a web application (T1190) and facilitates remote code execution by allowing arbitrary file moves to deploy web shells (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly counters the insufficient file path validation in generate_user_filepath and move_temp_file_to_upload_dir functions, preventing path traversal and arbitrary file moves.
Remediates the specific flaw in MW WP Form plugin versions up to 5.1.0 through timely patching or updates to eliminate the vulnerability.
Mitigates exploitation by enforcing least functionality, such as disabling file upload fields and the 'Saving inquiry data in database' option when not essential.