István Márton
January 30, 2024

$1,275 Bounty Awarded For Arbitrary File Deletion Vulnerability Patched in MW WP Form WordPress Plugin

🎉 Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure!

On December 5th, 2023, shortly after the launch of our Holiday Bug Extravaganza, we received a submission for an Arbitrary File Deletion vulnerability in MW WP Form, a WordPress plugin with more than 200,000+ active installations.

Props to Thomas Sanzey who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $1,275.00 for this discovery during our Bug Bounty Program Extravaganza.

Please accept our sincere apologies that we incorrectly reported in our email that we released a custom firewall rule for this vulnerability, when in fact we did not. All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Local File Inclusion protection.

We contacted the Web-Soudan Team on December 6, 2023, and received a response on December 6, 2023. After providing full disclosure details the next day, the developer released a patch on December 15, 2023. We would like to commend The Web-Soudan Team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of MW WP Form, which is version 5.0.4, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: MW WP Form <= 5.0.3 – Improper Limitation of File Name to Unauthenticated Arbitrary File Deletion
Affected Plugin: MW WP Form
Plugin Slug: mw-wp-form
Affected Versions: <= 5.0.3
CVE ID: CVE-2023-6559
CVSS Score: 7.5 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Researcher/s: Thomas Sanzey
Fully Patched Version: 5.0.4
Bounty Awarded: $1,275.00

The MW WP Form plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 5.0.3. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.

Technical Analysis

The MW WP Form plugin provides a shortcode-based form builder, with many customizable fields and many useful form options. Files can also be uploaded to the form with the [mwform_file name="file"] shortcode field. The form can be submitted with the [mwform_submitButton] shortcode field, which is the “Confirm & Submit” button. This is a special submit option, because there is a confirmation and then submit, so the form processing has two separate parts.

Examining the code reveals that the plugin uses the _template_redirect() function in the MW_WP_Form_Main_Controller class to handle this type of form submit request. The post condition can be ‘confirm’ or ‘complete’ based on the post data.

if ( 'complete' === $view_flg ) {
	$is_mail_sended = $this->_send();
}

When the form is submitted, and the post condition is ‘complete’, it calls the _send() function for sending the email, and this function gets the already uploaded attachments from post data. This then calls the send_admin_mail() function in the MW_WP_Form_Mail_Service class, which contains the following code snippet:

// If not usedb, remove files after sending admin mail
if ( ! $this->Setting->get( 'usedb' ) ) {
	$this->_delete_files();
}

The file is stored on the server and saved in the database if the “Saving inquiry data in database” option is selected in the form settings. If the file is not saved in the database, it immediately deletes the uploaded file after sending the email.

/**
 * Delete attachment files.
 */
protected function _delete_files() {
	foreach ( $this->attachments as $file ) {
		if ( file_exists( $file ) ) {
			unlink( $file );
		}
	}
}

Unfortunately, the attachments received from the post data in the form submit request are neither validated nor sanitized. This means that attackers can specify any file on the server to be deleted. This makes it possible for the attacker to delete any arbitrary file on the server, including the site’s wp-config.php file. Deleting wp-config.php forces the site into a setup state, allowing an attacker to take control by redirecting it to a database under their control.

The complete exploit process looks like this:

Wordfence Firewall

The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.

The Wordfence firewall rule detects the malicious file path and blocks the request.

Important Note

We would like to draw attention once again to the fact that the vulnerability only critically affects users who have a “Confirm and Submit” button in the form and have also disabled the “Saving inquiry data in database” option in the form settings, because the plugin only deletes the user-specified file without sanitizing the filename in this configuration. This means that not all users running the plugin would be inherently vulnerable, but nonetheless we recommend updating immediately as attackers are clever and could chain vulnerabilities in plugins to achieve a complete site takeover.

Disclosure Timeline

December 6, 2023 – We receive the submission of the Arbitrary File Deletion vulnerability in MW WP Form via the Wordfence Bug Bounty Program.
December 6, 2023 – We validate the report and confirm the proof-of-concept exploit.
December 6, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
December 6, 2023 – The vendor confirms the inbox for handling the discussion.
December 7, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
December 15, 2023 – The fully patched version of the plugin, 5.0.4, is released.

Conclusion

In this blog post, we detailed an Arbitrary File Deletion vulnerability within the MW WP Form plugin affecting versions 5.0.3 and earlier. This vulnerability allows unauthenticated threat actors to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible. The vulnerability has been fully addressed in version 5.0.4 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of MW WP Form.

All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

Did you enjoy this post? Share it!

LinkedIn 

Comments

No Comments

Breaking WordPress Security Research in your inbox as it happens.

Example of a news story

This site uses cookies in accordance with our Privacy Policy.