Description
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.3.9.0 via the wpcf7_guest_user_id cookie. This makes it possible for unauthenticated attackers to upload and delete files outside of the originally intended directory. The impact of this vulnerability is limited, as file types are validated and only safe ones can be uploaded, while deletion is limited to the plugin's uploads folder.
Published: 2025-08-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Drag and Drop Multiple File Upload for Contact Form 7 plugin contains a directory traversal flaw that can be triggered by an attacker setting a crafted wpcf7_guest_user_id cookie. The vulnerability permits unauthenticated uploads of files whose resolved file paths lie outside the intended upload directory; however, only file types that the plugin deems safe are accepted. Deletion is restricted to the plugin’s uploads folder, so files cannot be removed from other locations on the server.

Affected Systems

WordPress installations running Drag and Drop Multiple File Upload for Contact Form 7 version 1.3.9.0 or earlier, released by glenwpcoder. Any site that has the plugin enabled and accepts file uploads is potentially affected.

Risk and Exploitability

With a CVSS score of 5.3, the flaw is of moderate severity. An EPSS score of < 1% indicates a very low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog, and no widespread exploits are confirmed. Attackers can trigger the issue without authentication, typically by accessing a file upload page or injecting the malicious cookie in a request. Though the deletion scope is limited to the uploads folder, the ability to place arbitrary files beyond the intended directory can expose the site to injected content that may be executed later, or to accidental removal of legitimate site assets. The overall risk remains moderate, with the primary impact being the potential for unexpected file placement and loss of upload‑directory content.

Generated by OpenCVE AI on June 18, 2026 at 06:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Drag and Drop Multiple File Upload for Contact Form 7 to the latest version that removes the vulnerable cookie handling
  • Restrict the permissions of the plugin’s uploads folder to the web server process only and disable execution of arbitrary scripts within that folder
  • Configure a web application firewall or rule set to block requests containing wpcf7_guest_user_id cookies that include pathological path fragments such as "../"
  • Implement monitoring of the uploads directory to detect unapproved file creation or deletion events

Generated by OpenCVE AI on June 18, 2026 at 06:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25136 The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.3.9.0 via the wpcf7_guest_user_id cookie. This makes it possible for unauthenticated attackers to upload and delete files outside of the originally intended directory. The impact of this vulnerability is limited, as file types are validated and only safe ones can be uploaded, while deletion is limited to the plugin's uploads folder.
History

Mon, 18 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 16 Aug 2025 07:30:00 +0000

Type Values Removed Values Added
Description The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.3.9.0 via the wpcf7_guest_user_id cookie. This makes it possible for unauthenticated attackers to upload and delete files outside of the originally intended directory. The impact of this vulnerability is limited, as file types are validated and only safe ones can be uploaded, while deletion is limited to the plugin's uploads folder.
Title Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.0 - Directory Traversal via `wpcf7_guest_user_id` Cookie
Weaknesses CWE-23
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:33.117Z

Reserved: 2025-08-01T15:47:19.302Z

Link: CVE-2025-8464

cve-icon Vulnrichment

Updated: 2025-08-18T17:51:06.287Z

cve-icon NVD

Status : Deferred

Published: 2025-08-16T08:15:27.493

Modified: 2026-06-17T10:07:02.073

Link: CVE-2025-8464

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T06:30:16Z

Weaknesses
  • CWE-23

    Relative Path Traversal