Vulnerability Description
The MW WP Form plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 5.0.3. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Web-Soudan | Mw Wp Form | < 5.0.4 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset/3007879/mw-wp-formPatch
- https://www.wordfence.com/threat-intel/vulnerabilities/id/412d555c-9bbd-42f5-802PatchThird Party Advisory
- https://plugins.trac.wordpress.org/changeset/3007879/mw-wp-formPatch
- https://www.wordfence.com/threat-intel/vulnerabilities/id/412d555c-9bbd-42f5-802PatchThird Party Advisory
FAQ
What is CVE-2023-6559?
CVE-2023-6559 is a vulnerability with a CVSS score of 7.5 (HIGH). The MW WP Form plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 5.0.3. This is due to the plugin not properly validating the path of an uploaded file...
How severe is CVE-2023-6559?
CVE-2023-6559 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-6559?
Check the references section above for vendor advisories and patch information. Affected products include: Web-Soudan Mw Wp Form.