Description
The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions up to, and including, 3.5.12. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-06-18
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Ultra Addons for Contact Form 7 plugin for WordPress contains a flaw that allows authenticated users with Administrator privileges to upload files through the save_options endpoint without any file type validation. This lack of validation can result in arbitrary files being written to the server, creating a potential vector for remote code execution. The weakness is classified as CWE-434, which captures this type of uncontrolled upload.

Affected Systems

Affected systems are sites running WordPress with the Ultra Addons for Contact Form 7 plugin from Themefic, versions up to and including 3.5.12. Any installation that has not been upgraded beyond those versions remains susceptible. No other plugins or products are listed as affected.

Risk and Exploitability

Risk and exploitability assessment reveals a CVSS score of 7.2, indicating high severity, and an EPSS score of <1%, indicating a very low likelihood of exploitation. The vulnerability is not listed in CISA KEV. The likely attack vector is via authenticated administrative access, where an attacker can use the plugin’s settings interface to deliver a malicious file. Once uploaded, if the file is executable or interpreted by the server, the attacker gains potential remote code execution capabilities.

Generated by OpenCVE AI on June 18, 2026 at 11:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Ultra Addons for Contact Form 7 to the latest available version from Themefic to apply the upload validation fix.
  • Restrict or remove Administrator level access for untrusted accounts to the plugin’s settings interface until a patch can be applied.
  • Monitor the site’s upload directories and configuration files for unexpected uploads and review web server logs for suspicious activity to detect any abuse of the upload mechanism.

Generated by OpenCVE AI on June 18, 2026 at 11:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28707 The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions up to, and including, 3.5.12. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
History

Wed, 09 Jul 2025 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Themefic
Themefic ultimate Addons For Contact Form 7
CPEs cpe:2.3:a:themefic:ultimate_addons_for_contact_form_7:*:*:*:*:*:wordpress:*:*
Vendors & Products Themefic
Themefic ultimate Addons For Contact Form 7

Wed, 18 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Jun 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions up to, and including, 3.5.12. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Ultimate Addons for Contact Form 7 <= 3.5.12 - Authenticated (Administrator+) Arbitrary File Upload via 'save_options'
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Themefic Ultimate Addons For Contact Form 7
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:39.900Z

Reserved: 2025-06-17T22:11:09.505Z

Link: CVE-2025-6220

cve-icon Vulnrichment

Updated: 2025-06-18T13:18:04.323Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-18T12:15:19.247

Modified: 2026-06-17T10:01:24.493

Link: CVE-2025-6220

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T11:45:15Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type