CVE-2023-6559: 
WordPress vulnerability analysis and mitigation

The MW WP Form plugin for WordPress was found to contain an arbitrary file deletion vulnerability, identified as CVE-2023-6559. The vulnerability affects all versions up to and including 5.0.3. The issue was discovered and reported to the Web-Soudan Team on December 6, 2023, and was publicly disclosed on December 16, 2023 (Wordfence Intel).

The vulnerability stems from improper path validation of uploaded files before deletion operations. It has been classified as a Path Traversal vulnerability (CWE-22). The severity of this vulnerability has received varying CVSS v3.1 scores, with the NVD assigning a Critical score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), while Wordfence assessed it at 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) (NVD Database).

The vulnerability allows unauthenticated attackers to delete arbitrary files from the affected WordPress installation, including critical system files such as wp-config.php. This capability could potentially lead to site takeover and remote code execution (NVD Database).

A patch has been released to address this vulnerability. Users are advised to update their MW WP Form plugin to version 5.0.4 or later to mitigate the risk (WordPress Patch).

The vulnerability discovery resulted in a $1,275 bounty being awarded to the researcher Thomas Sanzey (Wordfence Blog).