Description
The Contact Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the contact form upload feature in all versions up to, and including, 8.6.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible in specific configurations where the first extension is processed over the final. This vulnerability also requires successfully exploiting a race condition in order to exploit.
Published: 2025-02-05
Score: 8.1 High
EPSS: 2.5% Low
KEV: No
Impact: Remote code execution via arbitrary file upload
Action: Update
AI Analysis

Impact

The Contact Manager plugin for WordPress allows unauthenticated users to submit files through a form without validating the file type. Attackers can therefore upload files with a double extension that may be interpreted by the server in a way that enables remote code execution in specific configurations that process the ultimate extension. The exploit also depends on a race condition that must be satisfied for the malicious file to be executed. The weakness is classified as CWE‑434: Unrestricted Upload of File with Dangerous Type.

Affected Systems

The vulnerability affects all installations of the Contact Manager plugin by kleor with versions 8.6.4 and earlier. This includes any WordPress site that has the plugin installed at these or lower versions.

Risk and Exploitability

With a CVSS score of 8.1 the vulnerability is considered high severity. The EPSS score of 3 % indicates a moderate likelihood that the flaw will be exploited in the near term. It is not listed in CISA’s KEV catalog. The most likely attack vector is a network‑based, unauthenticated submission through the public contact form. While the race condition requirement raises the difficulty, the vulnerability can still be leveraged in configurations that allow the second file extension to be executed, making remote code execution feasible.

Generated by OpenCVE AI on April 20, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Contact Manager plugin to version 8.6.5 or later to eliminate the double‑extension upload flaw.
  • Restrict file uploads by requiring authentication or disabling the upload field when the plugin cannot be updated immediately, thereby limiting exposure to unauthenticated users.
  • Configure the web server and file system to deny execution of uploaded files (e.g., set appropriate permissions or use `disable_functions`, `.htaccess` rules, or server‑side type checks) to mitigate potential code execution even if a malicious file is uploaded.

Generated by OpenCVE AI on April 20, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1976 The Contact Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the contact form upload feature in all versions up to, and including, 8.6.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible in specific configurations where the first extension is processed over the final. This vulnerability also requires successfully exploiting a race condition in order to exploit.
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00289}

 epss

{'score': 0.00365}

Wed, 12 Feb 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 05 Feb 2025 03:30:00 +0000

Type Values Removed Values Added
Description The Contact Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the contact form upload feature in all versions up to, and including, 8.6.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible in specific configurations where the first extension is processed over the final. This vulnerability also requires successfully exploiting a race condition in order to exploit.
Title Contact Manager <= 8.6.4 - Unauthenticated Arbitrary Double File Extension Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:33.904Z

Reserved: 2025-02-04T14:31:03.025Z

Link: CVE-2025-1028

cve-icon Vulnrichment

Updated: 2025-02-12T20:43:24.232Z

cve-icon NVD

Status : Deferred

Published: 2025-02-05T04:15:06.543

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-1028

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:00:13Z

Weaknesses