Update ASAP! Critical Unauthenticated Arbitrary File Upload in MW WP Form Allows Malicious Code Execution
🎁 Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will earn 6.25x our normal bounty rates when Wordfence handles responsible disclosure for our Holiday Bug Extravaganza! Register as a researcher and submit your vulnerabilities today!🎁
On November 24, 2023, the Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Unauthenticated Arbitrary File Upload vulnerability in MW WP Form plugin, which is actively installed on more than 200,000 WordPress websites. This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server when the “Saving inquiry data in database” option in the form settings is enabled.
All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Malicious File Upload protection.
We contacted the Web-Soudan Team on November 24, 2023, and received a response the same day. After providing full disclosure details, the developer released a patch on November 29, 2023. We would like to commend The Web-Soudan Team for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of MW WP Form, which is version 5.0.2 at the time of this writing, as soon as possible.
Vulnerability Summary from Wordfence Intelligence
Description: MW WP Form getMessage() );
}
MW_WP_Form_Directory::do_empty( $new_user_file_dir, true );
$filename=sanitize_file_name( sprintf( ‘%1$s-%2$s’, $name, $file[‘name’] ) );
$filepath=MW_WP_Form_Directory::generate_user_filepath( $form_id, $name, $filename );
try {
if ( ! move_uploaded_file( $file[‘tmp_name’], $filepath ) ) {
throw new RuntimeException( ‘[MW WP Form] There was an error saving the uploaded file.’ );
}
} catch ( Exception $e ) {
error_log( $e->getMessage() );
}
return $filename;
}
The upload function checks the file and then copies it to the server with the move_uploaded_file()
function. The file is only stored on the server if the “Saving inquiry data in database” option is selected in the form settings. Otherwise the file is immediately deleted after submitting the form.
Unfortunately, although the file type check function works perfectly and returns false for dangerous file types, it throws a runtime exception in the try block if a disallowed file type is uploaded, which will be caught and handled by the catch block. The catch block only uses the error_log()
function to log the error without interrupting the upload. This means that even if the dangerous file type is checked and detected, it is only logged, while the function continues to run and the file is uploaded. This means that attackers could upload arbitrary PHP files and then access those files to trigger their execution on the server, achieving remote code execution.
We would like to draw attention once again to the fact that the vulnerability only critically affects users who have enabled the “Saving inquiry data in database” option in the form settings, because the plugin only saves the files in this configuration.
Disclosure Timeline
November 24, 2023 – Discovery of the Arbitrary File Upload vulnerability in MW WP Form.
November 24, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
November 24, 2023 – The vendor confirms the inbox for handling the discussion.
November 24, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
November 29, 2023 – A fully patched version of the plugin, 5.0.2, is released.
Conclusion
In this blog post, we detailed an Arbitrary File Upload vulnerability within the MW WP Form plugin affecting versions 5.0.1 and earlier. This vulnerability allows unauthenticated threat actors to upload arbitrary files, including PHP backdoors, and execute those files on the server. The vulnerability has been fully addressed in version 5.0.2 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of MW WP Form.
All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
Did you know that Wordfence has a Bug Bounty Program? We’ve recently increased our bounties by 6.25x until December 20th, 2023, with our bounties for the most critical vulnerabilities reaching $10,000 USD! If you’re an aspiring or current vulnerability researcher, click here to sign up.
Source: wordfence.com