The Drag and Drop Multiple File Upload for Contact Form 7 plugin contains a missing ownership check in its delete functionality. Unauthenticated users can invoke the delete routine to remove any uploaded file when the "Send attachments as links" feature is turned on. This flaw allows unauthorized deletion of user‑supplied attachments, compromising data integrity and potentially disrupting site operations.

Versions of the plugin up to and including 1.3.9.2, distributed through WordPress, are affected. The vulnerable component is the dnd_codedropz_upload_delete() function, part of the Drag and Drop Multiple File Upload for Contact Form 7 plugin authored by glenwpcoder. Any WordPress installation that has this plugin installed and the "Send attachments as links" option enabled is susceptible.

The vulnerability scores a CVSS of 3.7, indicating a low‑to‑moderate severity. The EPSS score is reported as < 1%, suggesting a very low likelihood of exploitation in the wild, and it is not currently listed in the CISA KEV catalog. An attacker can trigger the deletion by sending an unauthenticated request to the plugin’s delete endpoint; no special privileges or additional conditions beyond the enabled setting are required. The primary impact is loss of uploaded files, which may impact user experience and site functionality, but there is no direct path to code execution or data exfiltration.