Description
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types on the affected site's server, which may make remote code execution possible on the servers that are configured to handle .phar files as executable PHP scripts, particularly in default Apache+mod_php configurations where the file extension is not strictly validated before being passed to the PHP interpreter.
Published: 2025-06-17
Score: 8.1 High
EPSS: 4.6% Low
KEV: No
Impact: Arbitrary File Upload with potential Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Drag and Drop Multiple File Upload for Contact Form 7 plugin allows an unauthenticated attacker to upload files of arbitrary type, because the plugin does not enforce proper file type validation. The flaw enables upload of dangerous file extensions such as .phar, which, if the server is configured to treat .phar as executable PHP scripts, can be immediately executed, leading to remote code execution on the host. The weakness falls under CWE-434, reflecting improper file type validation.

Affected Systems

The vulnerability affects the Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin, version 1.3.8.9 or earlier. Any WordPress installation that has this plugin installed and running the affected versions is susceptible, regardless of user role or privileges. The issue is tied to the plugin’s upload endpoint rather than specific WordPress core files.

Risk and Exploitability

The CVSS score of 8.1 quantifies the severity as high, with an EPSS score of 5% indicating a moderate likelihood of exploitation in the wild. The vulnerability is not currently listed in the CISA KEV catalog. Attackers can reach the upload functionality without authentication, making exploitation straightforward once they identify an affected WordPress site that employs the vulnerable plugin. If the host’s Apache+mod_php configuration automatically interprets .phar files as PHP, the attacker could achieve remote code execution as the web server’s user.

Generated by OpenCVE AI on April 28, 2026 at 22:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Drag and Drop Multiple File Upload plugin to a version that includes file type validation fixes. If a fixed version is not available, remove or deactivate the plugin immediately.
  • Apply server‑level restrictions to disable execution of .phar files in web‑accessible directories, such as configuring Apache to forbid .phar extensions or updating php.ini to disable phar autoloading.
  • Configure the plugin’s upload directory outside the web root or apply HTTP authentication to the upload endpoint to reduce exposure.

Generated by OpenCVE AI on April 28, 2026 at 22:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18492 The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types on the affected site's server, which may make remote code execution possible on the servers that are configured to handle .phar files as executable PHP scripts, particularly in default Apache+mod_php configurations where the file extension is not strictly validated before being passed to the PHP interpreter.
History

Mon, 11 Aug 2025 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Codedropz
Codedropz drag And Drop Multiple File Upload - Contact Form 7
CPEs cpe:2.3:a:codedropz:drag_and_drop_multiple_file_upload_-_contact_form_7:*:*:*:*:*:wordpress:*:*
Vendors & Products Codedropz
Codedropz drag And Drop Multiple File Upload - Contact Form 7

Tue, 17 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Jun 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types on the affected site's server, which may make remote code execution possible on the servers that are configured to handle .phar files as executable PHP scripts, particularly in default Apache+mod_php configurations where the file extension is not strictly validated before being passed to the PHP interpreter.
Title Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.8.9 - Unauthenticated Arbitrary File Upload via Insufficient Blacklist Checks
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Codedropz Drag And Drop Multiple File Upload - Contact Form 7
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:55.327Z

Reserved: 2025-04-11T11:25:49.385Z

Link: CVE-2025-3515

cve-icon Vulnrichment

Updated: 2025-06-17T14:24:43.344Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-17T10:15:23.507

Modified: 2025-08-11T18:37:44.530

Link: CVE-2025-3515

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:00:13Z

Weaknesses