Description
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'dnd_remove_uploaded_files' function in all versions up to, and including, 1.3.8.7. This makes it possible for unauthenticated attackers to add arbitrary file paths (such as ../../../../wp-config.php) to uploaded files on the server, which can easily lead to remote code execution when an Administrator deletes the message. Exploiting this vulnerability requires the Flamingo plugin to be installed and activated.
Published: 2025-03-28
Score: 8.8 High
EPSS: 3.9% Low
KEV: No
Impact: Arbitrary file deletion that can lead to remote code execution
Action: Patch
AI Analysis

Impact

The Drag and Drop Multiple File Upload for Contact Form 7 plugin allows an unauthenticated attacker to supply arbitrary file paths to the dnd_remove_uploaded_files function, resulting in deletion of files such as wp-config.php. The vulnerability stems from insufficient file path validation, a classic directory traversal flaw (CWE-22). When an administrator deletes a message, the attacker can delete critical system files, enabling possible remote code execution and significant compromise of confidentiality, integrity, and availability.

Affected Systems

Affected systems are installations of the Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress, versions up to and including 1.3.8.7. The flaw is only exploitable when the Flamingo plugin is installed and activated, which is required for handling uploaded messages.

Risk and Exploitability

The CVSS score of 8.8 classifies this as a high severity flaw, and the EPSS of 4% indicates a moderate probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers do not need authentication; they only need the ability to trigger the upload deletion endpoint, which can be done via crafted HTTP requests. Failure to address the flaw may allow attackers to delete arbitrary files on the web server, leading to potential remote code execution through subsequent exploitation pathways.

Generated by OpenCVE AI on April 28, 2026 at 22:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Drag and Drop Multiple File Upload for Contact Form 7 plugin to a version newer than 1.3.8.7 that removes the vulnerable deletion logic.
  • If an immediate update is not possible, disable or restrict access to the dnd_remove_uploaded_files endpoint, for example by configuring web server rules or firewall exceptions for authenticated administrators only.
  • Remove the Flamingo plugin if it is not required, as the vulnerability requires Flamingo to be active; its removal eliminates the exploitation vector.

Generated by OpenCVE AI on April 28, 2026 at 22:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8553 The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'dnd_remove_uploaded_files' function in all versions up to, and including, 1.3.8.7. This makes it possible for unauthenticated attackers to add arbitrary file paths (such as ../../../../wp-config.php) to uploaded files on the server, which can easily lead to remote code execution when an Administrator deletes the message. Exploiting this vulnerability requires the Flamingo plugin to be installed and activated.
History

Tue, 12 Aug 2025 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Codedropz
Codedropz drag And Drop Multiple File Upload - Contact Form 7
CPEs cpe:2.3:a:codedropz:drag_and_drop_multiple_file_upload_-_contact_form_7:*:*:*:*:*:wordpress:*:*
Vendors & Products Codedropz
Codedropz drag And Drop Multiple File Upload - Contact Form 7

Fri, 28 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 28 Mar 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'dnd_remove_uploaded_files' function in all versions up to, and including, 1.3.8.7. This makes it possible for unauthenticated attackers to add arbitrary file paths (such as ../../../../wp-config.php) to uploaded files on the server, which can easily lead to remote code execution when an Administrator deletes the message. Exploiting this vulnerability requires the Flamingo plugin to be installed and activated.
Title Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.8.7 - Unauthenticated Arbitrary File Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Codedropz Drag And Drop Multiple File Upload - Contact Form 7
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:35:42.121Z

Reserved: 2025-03-14T19:51:47.923Z

Link: CVE-2025-2328

cve-icon Vulnrichment

Updated: 2025-03-28T14:35:16.431Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-28T07:15:39.243

Modified: 2025-08-12T17:29:27.360

Link: CVE-2025-2328

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:00:13Z

Weaknesses