CVE-2023-6559

2023-12-1613:15:07

CWE-22

Wordfence

web.nvd.nist.gov

mw wp form

wordpress

vulnerability

arbitrary file deletion

security

nvd

cve-2023-6559

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.004

Percentile

72.2%

JSON

The MW WP Form plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 5.0.3. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.

Affected configurations

Nvd

Vulners

Node

web-soudanmw_wp_formRange<5.0.4wordpress

VendorProductVersionCPE
web-soudanmw_wp_form*cpe:2.3:a:web-soudan:mw_wp_form:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
web-soudan	mw_wp_form	*	cpe:2.3:a:web-soudan:mw_wp_form::::::wordpress::*

CNA Affected

[
  {
    "vendor": "inc2734",
    "product": "MW WP Form",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "5.0.3",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]