High severity7.5NVD Advisory· Published Dec 16, 2023· Updated Apr 8, 2026

CVE-2023-6559

Description

The MW WP Form plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 5.0.3. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.

Affected products

Mw Wp Form Project/Mw Wp Form
cpe:2.3:a:web-soudan:mw_wp_form:*:*:*:*:*:wordpress:*:*
Range: <5.0.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changeset/3007879/mw-wp-formnvdPatch
www.wordfence.com/threat-intel/vulnerabilities/id/412d555c-9bbd-42f5-8020-ccfc18755a79nvdPatchThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.005
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000