Mw Wp Form
Monthly
Reflected or stored Cross-Site Scripting in the MW WP Form WordPress plugin (versions <= 5.1.3) allows remote unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with crafted plugin content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) indicates network-reachable exploitation with no privileges but requiring user interaction, and the scope change reflects the cross-origin impact typical of XSS in browser contexts. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in websoudan MW WP Form allows Stored XSS.0.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The MW WP Form plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 5.0.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
Unrestricted upload of file with dangerous type exists in MW WP Form versions v4.4.2 and earlier, which may allow a remote unauthenticated attacker to upload an arbitrary file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Directory traversal vulnerability in MW WP Form versions v4.4.2 and earlier allows a remote unauthenticated attacker to alter the website or cause a denial-of-service (DoS) condition, and obtain. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Reflected or stored Cross-Site Scripting in the MW WP Form WordPress plugin (versions <= 5.1.3) allows remote unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with crafted plugin content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) indicates network-reachable exploitation with no privileges but requiring user interaction, and the scope change reflects the cross-origin impact typical of XSS in browser contexts. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in websoudan MW WP Form allows Stored XSS.0.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The MW WP Form plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 5.0.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
Unrestricted upload of file with dangerous type exists in MW WP Form versions v4.4.2 and earlier, which may allow a remote unauthenticated attacker to upload an arbitrary file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Directory traversal vulnerability in MW WP Form versions v4.4.2 and earlier allows a remote unauthenticated attacker to alter the website or cause a denial-of-service (DoS) condition, and obtain. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.