Description
The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited upload of files with a dangerous type in all versions up to, and including, 1.3.9.2. This is due to the plugin not blocking .phar and .svg files. This makes it possible for unauthenticated attackers to upload arbitrary .phar or .svg files containing malicious PHP or JavaScript code. Malicious PHP code can be used to achieve remote code execution on the server via direct file access, if the server is configured to execute .phar files as PHP. The upload of .svg files allows for Stored Cross-Site Scripting under certain circumstances.
Published: 2026-01-07
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution and Stored XSS via unfiltered file upload
Action: Implement Workaround
AI Analysis

Impact

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to an unauthenticated limited file upload exploit that allows attackers to upload .phar or .svg files containing malicious PHP or JavaScript code. The vulnerability arises from improper file type validation, enabling the acceptance of dangerous file types with no restriction. This flaw permits attackers to place executable scripts on the server, potentially leading to remote code execution if the server is configured to execute .phar files, or to Stored Cross‑Site Scripting via .svg files under certain conditions. The flaw is classified as CWE‑434.

Affected Systems

The issue affects all versions of the Drag and Drop Multiple File Upload for Contact Form 7 plug‑in (vendor glenwpcoder) up to and including 1.3.9.2. The plug‑in extends the core Contact Form 7 plugin, so any WordPress site running both components with a vulnerable plug‑in version is at risk. Site owners should verify the presence and version of the add‑on.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity, while the EPSS score of less than 1% suggests low exploitation probability as of the latest data, and the vulnerability is not yet listed in CISA KEV. However, the presence of unfiltered .phar uploads can enable a remote code execution path if the host’s web server is configured to treat .phar files as PHP, a scenario that is common in misconfigured environments. Attackers can exploit this via the public faces of Contact Form 7 forms, so the attack vector is unauthenticated and remote.

Generated by OpenCVE AI on April 21, 2026 at 00:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Drag and Drop Multiple File Upload for Contact Form 7 plug‑in to the latest released version if available; if no update exists, remove the plug‑in or disable file uploads.
  • Upgrade the core Contact Form 7 plugin to the latest stable release if still running an older version.
  • Use a security plug‑in or custom configuration to whitelist allowed file types, excluding .phar and .svg files.
  • Configure the web‑server to prohibit execution of .phar files in the upload directory, preventing execution even if a malicious file arrives.

Generated by OpenCVE AI on April 21, 2026 at 00:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Codedropz
Codedropz drag And Drop Multiple File Upload - Contact Form 7
Wordpress
Wordpress wordpress
Vendors & Products Codedropz
Codedropz drag And Drop Multiple File Upload - Contact Form 7
Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited upload of files with a dangerous type in all versions up to, and including, 1.3.9.2. This is due to the plugin not blocking .phar and .svg files. This makes it possible for unauthenticated attackers to upload arbitrary .phar or .svg files containing malicious PHP or JavaScript code. Malicious PHP code can be used to achieve remote code execution on the server via direct file access, if the server is configured to execute .phar files as PHP. The upload of .svg files allows for Stored Cross-Site Scripting under certain circumstances.
Title Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.9.2 - Unauthenticated Limited Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Codedropz Drag And Drop Multiple File Upload - Contact Form 7
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:26.486Z

Reserved: 2025-12-17T17:58:42.026Z

Link: CVE-2025-14842

cve-icon Vulnrichment

Updated: 2026-01-07T14:51:23.573Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:56.873

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14842

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:45:23Z

Weaknesses