Vulnerabilities and security researches fordrag-and-drop-multiple-file-upload-contact-form-7 drag-and-drop-multiple-file-upload-contact-form-7
Direction: ascendingJun 07, 2024
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2024-3717
- CVE, Research URL
- Date
- May 02, 2024
- Research Description
- The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.7.7 via the '/wp-content/uploads/wp_dndcf7_uploads/wpcf7-files' directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via this plugin through a form.
- Affected versions
-
max 1.3.7.8.
- Status
-
vulnerable
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2020-12800
- CVE, Research URL
- Date
- Jun 08, 2020
- Research Description
- The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unrestricted File Upload and remote code execution by setting supported_type to php% and uploading a .php% file.
- Affected versions
-
max 1.3.3.3.
- Status
-
vulnerable
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2022-0595
- CVE, Research URL
- Date
- Mar 28, 2022
- Research Description
- The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue
- Affected versions
-
max 1.3.5.5.
- Status
-
vulnerable
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2022-3282
- CVE, Research URL
- Date
- Oct 17, 2022
- Research Description
- The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form.
- Affected versions
-
max 1.3.5.5.
- Status
-
vulnerable
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2022-45364
- CVE, Research URL
- Date
- May 24, 2023
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in Glen Don L. Mongaya Drag and Drop Multiple File Upload – Contact Form 7 plugin <= 1.3.6.5 versions.
- Affected versions
-
max 1.3.6.6.
- Status
-
vulnerable
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2023-5822
- CVE, Research URL
- Date
- Nov 22, 2023
- Research Description
- The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if a user authorized to edit form, which means editor privileges or above, has added a 'multiple file upload' form field with '*' acceptable file types.
- Affected versions
-
max 1.3.7.4.
- Status
-
vulnerable
Feb 01, 2025
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2024-12267
- CVE, Research URL
- Date
- Jan 31, 2025
- Research Description
- The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited arbitrary file deletion due to insufficient file path validation in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.8.5. This makes it possible for unauthenticated attackers to delete limited arbitrary files on the server. It is not possible to delete files like wp-config.php that would make RCE possible.
- Affected versions
-
max 1.3.8.6.
- Status
-
vulnerable
Apr 02, 2025
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2025-2485
- CVE, Research URL
- Date
- Mar 28, 2025
- Research Description
- The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8.7 via deserialization of untrusted input from the 'dnd_upload_cf7_upload' function. This makes it possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with the file upload action. The Flamingo plugin must be installed and activated in order to exploit the vulnerability. The vulnerability was partially patched in version 1.3.8.8.
- Affected versions
-
max 1.3.8.8.
- Status
-
vulnerable
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2025-2328
- CVE, Research URL
- Date
- Mar 28, 2025
- Research Description
- The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'dnd_remove_uploaded_files' function in all versions up to, and including, 1.3.8.7. This makes it possible for unauthenticated attackers to add arbitrary file paths (such as ../../../../wp-config.php) to uploaded files on the server, which can easily lead to remote code execution when an Administrator deletes the message. Exploiting this vulnerability requires the Flamingo plugin to be installed and activated.
- Affected versions
-
max 1.3.8.8.
- Status
-
vulnerable
Jun 18, 2025
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2025-3515
- CVE, Research URL
- Date
- Jun 17, 2025
- Research Description
- The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types on the affected site's server, which may make remote code execution possible on the servers that are configured to handle .phar files as executable PHP scripts, particularly in default Apache+mod_php configurations where the file extension is not strictly validated before being passed to the PHP interpreter.
- Affected versions
-
max 1.3.9.0.
- Status
-
vulnerable
Aug 16, 2025
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2025-8464
- CVE, Research URL
- Date
- Aug 16, 2025
- Research Description
- The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.3.9.0 via the wpcf7_guest_user_id cookie. This makes it possible for unauthenticated attackers to upload and delete files outside of the originally intended directory. The impact of this vulnerability is limited, as file types are validated and only safe ones can be uploaded, while deletion is limited to the plugin's uploads folder.
- Affected versions
-
max 1.3.9.1.
- Status
-
vulnerable
Jan 28, 2026
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2025-14842
- CVE, Research URL
- Date
- Jan 07, 2026
- Research Description
- The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited upload of files with a dangerous type in all versions up to, and including, 1.3.9.2. This is due to the plugin not blocking .phar and .svg files. This makes it possible for unauthenticated attackers to upload arbitrary .phar or .svg files containing malicious PHP or JavaScript code. Malicious PHP code can be used to achieve remote code execution on the server via direct file access, if the server is configured to execute .phar files as PHP. The upload of .svg files allows for Stored Cross-Site Scripting under certain circumstances.
- Affected versions
-
max 1.3.9.3.
- Status
-
vulnerable
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2025-14457
- CVE, Research URL
- Date
- Jan 15, 2026
- Research Description
- The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.9.2. This makes it possible for unauthenticated attackers to delete arbitrary uploaded files when the "Send attachments as links" setting is enabled.
- Affected versions
-
max 1.3.9.3.
- Status
-
vulnerable
Apr 15, 2026
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2026-3459
- CVE, Research URL
- Date
- Mar 06, 2026
- Research Description
- The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if the form includes a multiple file upload field with ‘*’ as the accepted file type.
- Affected versions
-
max 1.3.9.6.
- Status
-
vulnerable
Apr 18, 2026
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2026-5718
- CVE, Research URL
- Date
- Apr 17, 2026
- Research Description
- The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.6. This is due to insufficient file type validation that occurs when custom blacklist types are configured, which replaces the default dangerous extension denylist instead of merging with it, and the wpcf7_antiscript_file_name() sanitization function being bypassed for filenames containing non-ASCII characters. This makes it possible for unauthenticated attackers to upload arbitrary files, such as PHP files, to the server, which can be leveraged to achieve remote code execution.
- Affected versions
-
max 1.3.9.7.
- Status
-
vulnerable
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2026-5710
- CVE, Research URL
- Date
- Apr 17, 2026
- Research Description
- The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary File Read in versions up to and including 1.3.9.6. This is due to the plugin using client-supplied mfile[] POST values as the source of truth for email attachment selection without performing any server-side upload provenance check, path canonicalization, or directory containment boundary enforcement. In dnd_wpcf7_posted_data(), each user-submitted filename is directly appended to the plugin's upload URL without sanitization. In dnd_cf7_mail_components(), the URL is converted back to a filesystem path using str_replace() and only file_exists() is used as the acceptance check before attaching the file to the outgoing CF7 email. This makes it possible for unauthenticated attackers to read and exfiltrate arbitrary files readable by the web server process via path traversal sequences in the mfile[] parameter, with files being disclosed as email attachments. Note: This vulnerability is limited to the 'wp-content' folder due to the wpcf7_is_file_path_in_content_dir() function in the Contact Form 7 plugin.
- Affected versions
-
max 1.3.9.7.
- Status
-
vulnerable
Jun 07, 2026
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2026-8991
- CVE, Research URL
- Date
- Jun 06, 2026
- Research Description
- The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'drag_n_drop_text' and 'drag_n_drop_browse_text' Settings in all versions up to, and including, 1.3.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 1.3.9.8.
- Status
-
vulnerable