Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms drag-and-drop-file-upload-for-elementor-forms allows Path Traversal.This issue affects Drag and Drop File Upload for Elementor Forms: from n/a through <= 1.4.3.
Published: 2025-05-23
Score: 8.6 High
EPSS: 1.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper limitation of a pathname to a restricted directory allows an attacker to delete arbitrary files from a WordPress site. The flaw arises in how the Drag and Drop File Upload for Elementor Forms plugin handles file deletion requests, permitting path traversal that bypasses intended directory restrictions. This weakness, identified as CWE-22, can lead to removal of configuration files, media assets or other critical content, effectively compromising the site’s integrity and availability.

Affected Systems

The vulnerability affects the add-ons.org WordPress plugin “Drag and Drop File Upload for Elementor Forms”, specifically versions up to and including 1.4.3. No explicit patch version is listed, but any release beyond 1.4.3 is presumed to contain the fix. Site administrators should determine whether the affected plugin is installed and identify the version in use.

Risk and Exploitability

The CVSS score of 8.6 categorizes this flaw as high severity, and the EPSS score of 1% indicates a low but non‑zero probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attacks likely occur through the plugin’s web interface, where an attacker can manipulate deletion requests to target arbitrary paths. Successful exploitation would result in file deletion, thereby compromising site availability and integrity.

Generated by OpenCVE AI on May 1, 2026 at 08:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Drag and Drop File Upload for Elementor Forms to version 1.4.4 or later, if available.
  • If an upgrade cannot be performed immediately, disable the Drag and Drop File Upload feature to block the deletion endpoint.
  • Monitor server logs for anomalous file deletion attempts and enforce strict file‑system permissions to limit the web server’s ability to delete critical files.

Generated by OpenCVE AI on May 1, 2026 at 08:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28087 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms allows Path Traversal. This issue affects Drag and Drop File Upload for Elementor Forms: from n/a through 1.4.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms allows Path Traversal. This issue affects Drag and Drop File Upload for Elementor Forms: from n/a through 1.4.3. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms drag-and-drop-file-upload-for-elementor-forms allows Path Traversal.This issue affects Drag and Drop File Upload for Elementor Forms: from n/a through <= 1.4.3.
Title WordPress Drag and Drop File Upload for Elementor Forms <= 1.4.3 - Arbitrary File Deletion Vulnerability WordPress Drag and Drop File Upload for Elementor Forms plugin <= 1.4.3 - Arbitrary File Deletion Vulnerability
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Fri, 23 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms allows Path Traversal. This issue affects Drag and Drop File Upload for Elementor Forms: from n/a through 1.4.3.
Title WordPress Drag and Drop File Upload for Elementor Forms <= 1.4.3 - Arbitrary File Deletion Vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:42.737Z

Reserved: 2025-05-07T09:39:15.825Z

Link: CVE-2025-47492

cve-icon Vulnrichment

Updated: 2025-05-23T14:58:53.865Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:38.297

Modified: 2026-04-23T15:30:19.620

Link: CVE-2025-47492

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:15:12Z

Weaknesses