On March 16th, 2026, we received a submission for an Arbitrary File Move vulnerability in MW WP Form, a WordPress plugin with more than 200,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to move arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible. This vulnerability can only be exploited if the “Saving inquiry data in database” option in the form settings is enabled.
The post 200,000 WordPress Sites Affected by Arbitrary File Move Vulnerability in MW WP Form WordPress Plugin appeared first on Wordfence.
This article has been indexed from Blog – Wordfence
Read the original article: