Description
Unrestricted Upload of File with Dangerous Type vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms drag-and-drop-file-upload-for-elementor-forms allows Upload a Web Shell to a Web Server.This issue affects Drag and Drop File Upload for Elementor Forms: from n/a through <= 1.5.3.
Published: 2025-08-28
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin contains an unrestricted upload condition that permits an attacker to upload files with dangerous types to the web server. An attacker can inject a web shell, which could be used to gain remote execution and complete compromise of the site. The weakness is consistent with CWE-434 where the system fails to validate or filter uploaded content. Exposure could allow an attacker to exfiltrate data, deface the site, or use the server for malicious purposes.

Affected Systems

Add-ons.org’s Drag and Drop File Upload for Elementor Forms is affected. Any installation using versions from the initial release through 1.5.3 is vulnerable. Versions >=1.5.4 are not listed as affected.

Risk and Exploitability

The CVSS score of 10 indicates a critical severity. The EPSS score of < 1% reflects a very low probability of exploitation in the wild, yet the risk of a credentialed or post‑authentication upload remains high because the attack requires access to the form submission mechanism. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, but its potential to deliver a web shell warrants prompt action. The likely attack vector is via the Elementor form interface using legitimate upload capabilities.

Generated by OpenCVE AI on April 30, 2026 at 15:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Drag and Drop File Upload for Elementor Forms to the latest available version (>=1.5.4).
  • If an upgrade is not immediately possible, disable or uninstall the plugin to prevent file uploads.
  • Implement server‑side file type validation or a Web Application Firewall rule set that blocks executable and script file extensions from being uploaded.

Generated by OpenCVE AI on April 30, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26012 Unrestricted Upload of File with Dangerous Type vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms allows Upload a Web Shell to a Web Server. This issue affects Drag and Drop File Upload for Elementor Forms: from n/a through 1.5.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms allows Upload a Web Shell to a Web Server. This issue affects Drag and Drop File Upload for Elementor Forms: from n/a through 1.5.3. Unrestricted Upload of File with Dangerous Type vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms drag-and-drop-file-upload-for-elementor-forms allows Upload a Web Shell to a Web Server.This issue affects Drag and Drop File Upload for Elementor Forms: from n/a through <= 1.5.3.
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Thu, 28 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor
Wordpress
Wordpress wordpress
Vendors & Products Elementor
Elementor elementor
Wordpress
Wordpress wordpress

Thu, 28 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms allows Upload a Web Shell to a Web Server. This issue affects Drag and Drop File Upload for Elementor Forms: from n/a through 1.5.3.
Title WordPress Drag and Drop File Upload for Elementor Forms Plugin <= 1.5.3 - Arbitrary File Upload Vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Elementor Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:02.831Z

Reserved: 2025-06-04T15:43:46.346Z

Link: CVE-2025-49387

cve-icon Vulnrichment

Updated: 2025-08-28T15:38:40.701Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T13:15:59.230

Modified: 2026-04-23T15:31:34.733

Link: CVE-2025-49387

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:45:40Z

Weaknesses