Description
The Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dnd_upload_cf7_upload_chunks() function in version 5.0 - 5.0.5 (when bundled with the PrintSpace theme) and all versions up to, and including, 1.7.1 (in the standalone version). This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The execution of PHP is disabled via a .htaccess file but is still possible in certain server configurations. CVE-2025-49885 may be a duplicate of this.
Published: 2025-07-02
Score: 9.8 Critical
EPSS: 2.1% Low
KEV: No
Impact: Unauthenticated arbitrary file upload may enable remote code execution
Action: Immediate Patch
AI Analysis

Impact

The Drag and Drop Multiple File Upload (Pro) – WooCommerce plugin allows unauthenticated users to upload files without proper content‑type validation. This flaw, located in the dnd_upload_cf7_upload_chunks() function, permits an attacker to place arbitrary files on the web server. Because PHP execution is disabled by a default .htaccess rule, exploitation only succeeds in configurations that allow PHP to run in the upload directory. Nonetheless, the possibility of uploading and executing a malicious script represents a high‑impact vulnerability that can compromise confidentiality, integrity, and availability.

Affected Systems

Affected versions are the standalone plugin from 1.0 through 1.7.1 and the bundled 5.0 to 5.0.5 releases that ship with the PrintSpace theme. All installations of these versions running on WordPress are vulnerable unless the plugin is updated or removed.

Risk and Exploitability

The CVSS score of 9.8 classifies it as critical, and the EPSS score of 2% indicates that, while exploitation is not widespread, it remains a non‑zero risk. The vulnerability is not listed in the CISA KEV catalog, but its unauthenticated nature and potential for remote code execution make it a priority target for attackers. An attacker can trigger the flaw by sending a crafted file upload request to the plugin’s upload endpoint, bypassing any authentication or CSRF checks.

Generated by OpenCVE AI on April 28, 2026 at 22:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Drag and Drop Multiple File Upload (Pro) – WooCommerce plugin to the latest release that includes proper file type validation (e.g., 1.7.2 or 5.0.6).
  • If an upgrade cannot be performed immediately, disable or remove the plugin to eliminate exposure to unauthenticated uploads.
  • Configure the server or use an .htaccess rule to disallow execution of files in the upload directory, preventing PHP or other scripts from running.
  • Implement server‑side validation of uploaded file extension and MIME type to ensure only intended image content is accepted, limiting potential exploits.

Generated by OpenCVE AI on April 28, 2026 at 22:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19683 The Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dnd_upload_cf7_upload_chunks() function in version 5.0 - 5.0.5 (when bundled with the PrintSpace theme) and all versions up to, and including, 1.7.1 (in the standalone version). This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The execution of PHP is disabled via a .htaccess file but is still possible in certain server configurations.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dnd_upload_cf7_upload_chunks() function in version 5.0 - 5.0.5 (when bundled with the PrintSpace theme) and all versions up to, and including, 1.7.1 (in the standalone version). This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The execution of PHP is disabled via a .htaccess file but is still possible in certain server configurations. The Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dnd_upload_cf7_upload_chunks() function in version 5.0 - 5.0.5 (when bundled with the PrintSpace theme) and all versions up to, and including, 1.7.1 (in the standalone version). This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The execution of PHP is disabled via a .htaccess file but is still possible in certain server configurations. CVE-2025-49885 may be a duplicate of this.

Wed, 02 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 02 Jul 2025 04:00:00 +0000

Type Values Removed Values Added
Description The Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dnd_upload_cf7_upload_chunks() function in version 5.0 - 5.0.5 (when bundled with the PrintSpace theme) and all versions up to, and including, 1.7.1 (in the standalone version). This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The execution of PHP is disabled via a .htaccess file but is still possible in certain server configurations.
Title Drag and Drop Multiple File Upload (Pro) - WooCommerce <= 1.7.1 and 5.0 - 5.0.5 - Unauthenticated Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:47:21.753Z

Reserved: 2025-06-05T20:22:57.965Z

Link: CVE-2025-5746

cve-icon Vulnrichment

Updated: 2025-07-02T13:18:53.961Z

cve-icon NVD

Status : Deferred

Published: 2025-07-02T04:15:58.013

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5746

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T22:45:25Z

Weaknesses