The vulnerability allows an attacker to upload a file of any type to the web server, specifically a web shell that can subsequently be executed to gain control over the server. This results in a complete loss of confidentiality, integrity, and availability for the affected system, enabling the attacker to modify, delete, or exfiltrate data, inject further malware, or perform other malicious actions. The weakness is a classic uncontrolled file upload scenario (CWE-434).

The flaw exists in the borisolhor Drop Uploader for CF7 – Drag & Drop File Uploader Addon plugin for WordPress, affecting all releases up to and including version 2.4.1. Any WordPress installation that has this plugin installed and configured to accept file uploads is impacted.

The CVSS score of 10 indicates the highest severity, meaning the potential impact is catastrophic. The EPSS score of less than 1% suggests that, at the time of this analysis, the probability of exploitation in the wild is low, but the existence of a known web shell upload still warrants urgent attention. The vulnerability is not listed in CISA's KEV catalog, so there is no known large‑scale exploitation campaign linked to it yet. Attackers most likely would target the plugin’s upload endpoint remotely, potentially requiring a user account with sufficient permissions to submit files through the contact form process.