Description
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8.7 via deserialization of untrusted input from the 'dnd_upload_cf7_upload'
function. This makes it possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with the file upload action. The Flamingo plugin must be installed and activated in order to exploit the vulnerability. The vulnerability was partially patched in version 1.3.8.8.
Published: 2025-03-28
Score: 7.5 High
EPSS: 1.8% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Drag and Drop Multiple File Upload for Contact Form 7 plugin can deserialize untrusted input from the “dnd_upload_cf7_upload” function, allowing an attacker to craft a malformed PHAR file that injects a PHP object. This PHP Object Injection does not contain a built‑in Payload‑Oriented Programming (POP) chain, so the vulnerability alone cannot delete files or run code; however, if another plugin or theme on the host contains a compatible POP chain, the attacker could delete arbitrary files, read sensitive data, or execute arbitrary code. The flaw is exploitable by unauthenticated users who can submit a form that includes a file upload field, and it requires the Flamingo plugin to be installed and activated.

Affected Systems

All WordPress sites that use the Drag and Drop Multiple File Upload for Contact Form 7 plugin by glenwpcoder and have a version up to and including 1.3.8.7 are affected. A partial patch was added in 1.3.8.8, but the vulnerability remains until a full fix mitigates the PHAR deserialization path.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, and the EPSS score of 2% reflects a realistic probability that the flaw may be attempted in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw from anywhere over the network as soon as a form with an upload handler is publicly accessible; however, the actual impact hinges on the presence of a compatible POP chain in another plugin or theme and on the Flamingo plugin being active. In the absence of these prerequisites, the risk is substantially lower, though the flaw still poses a high threat to non‑patched sites that use the affected plugin in conjunction with vulnerable third‑party components.

Generated by OpenCVE AI on May 6, 2026 at 15:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Drag and Drop Multiple File Upload for Contact Form 7 plugin to version 1.3.8.8 or later, which removes the vulnerable deserialization call
  • If upgrading is not immediately possible, disable the Flamingo plugin or ensure it is not present, as the attack requires it
  • Remove or neutralize any POP chain-capable plugins or themes on the site, and consider replacing the contact‑form upload plugin with a secured alternative

Generated by OpenCVE AI on May 6, 2026 at 15:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8552 The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8.7 via deserialization of untrusted input from the 'dnd_upload_cf7_upload' function. This makes it possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with the file upload action. The Flamingo plugin must be installed and activated in order to exploit the vulnerability. The vulnerability was partially patched in version 1.3.8.8.
History

Tue, 12 Aug 2025 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Codedropz
Codedropz drag And Drop Multiple File Upload - Contact Form 7
CPEs cpe:2.3:a:codedropz:drag_and_drop_multiple_file_upload_-_contact_form_7:*:*:*:*:*:wordpress:*:*
Vendors & Products Codedropz
Codedropz drag And Drop Multiple File Upload - Contact Form 7

Wed, 07 May 2025 16:00:00 +0000

Type Values Removed Values Added
Description The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8.7 via deserialization of untrusted input from the 'dnd_upload_cf7_upload' function. This makes it possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with the file upload action. The Flamingo plugin must be installed and activated in order to exploit the vulnerability. The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8.7 via deserialization of untrusted input from the 'dnd_upload_cf7_upload' function. This makes it possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with the file upload action. The Flamingo plugin must be installed and activated in order to exploit the vulnerability. The vulnerability was partially patched in version 1.3.8.8.
References

Fri, 28 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 28 Mar 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8.7 via deserialization of untrusted input from the 'dnd_upload_cf7_upload' function. This makes it possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with the file upload action. The Flamingo plugin must be installed and activated in order to exploit the vulnerability.
Title Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.8.7 - Unauthenticated PHP Object Injection via PHAR to Arbitrary File Deletion
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Codedropz Drag And Drop Multiple File Upload - Contact Form 7
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:02:16.447Z

Reserved: 2025-03-17T23:34:34.529Z

Link: CVE-2025-2485

cve-icon Vulnrichment

Updated: 2025-03-28T14:34:35.866Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-28T07:15:39.450

Modified: 2025-08-12T17:22:25.077

Link: CVE-2025-2485

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T16:00:06Z

Weaknesses