Vulnerabilities and security researches fordrag-and-drop-multiple-file-upload-contact-form-7 drag-and-drop-multiple-file-upload-contact-form-7
Direction: ascendingJun 07, 2024
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2024-3717
- CVE, Research URL
- Date
- May 02, 2024
- Research Description
- The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.7.7 via the '/wp-content/uploads/wp_dndcf7_uploads/wpcf7-files' directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via this plugin through a form.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2020-12800
- CVE, Research URL
- Date
- Jun 08, 2020
- Research Description
- The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unrestricted File Upload and remote code execution by setting supported_type to php% and uploading a .php% file.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2022-0595
- CVE, Research URL
- Date
- Mar 28, 2022
- Research Description
- The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2022-3282
- CVE, Research URL
- Date
- Oct 17, 2022
- Research Description
- The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2022-45364
- CVE, Research URL
- Date
- May 24, 2023
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in Glen Don L. Mongaya Drag and Drop Multiple File Upload – Contact Form 7 plugin <= 1.3.6.5 versions.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2023-5822
- CVE, Research URL
- Date
- Nov 22, 2023
- Research Description
- The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if a user authorized to edit form, which means editor privileges or above, has added a 'multiple file upload' form field with '*' acceptable file types.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Feb 01, 2025
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2024-12267
- CVE, Research URL
- Date
- Jan 31, 2025
- Research Description
- The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited arbitrary file deletion due to insufficient file path validation in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.8.5. This makes it possible for unauthenticated attackers to delete limited arbitrary files on the server. It is not possible to delete files like wp-config.php that would make RCE possible.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Apr 02, 2025
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2025-2485
- CVE, Research URL
- Date
- Mar 28, 2025
- Research Description
- The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8.7 via deserialization of untrusted input from the 'dnd_upload_cf7_upload' function. This makes it possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with the file upload action. The Flamingo plugin must be installed and activated in order to exploit the vulnerability. The vulnerability was partially patched in version 1.3.8.8.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2025-2328
- CVE, Research URL
- Date
- Mar 28, 2025
- Research Description
- The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'dnd_remove_uploaded_files' function in all versions up to, and including, 1.3.8.7. This makes it possible for unauthenticated attackers to add arbitrary file paths (such as ../../../../wp-config.php) to uploaded files on the server, which can easily lead to remote code execution when an Administrator deletes the message. Exploiting this vulnerability requires the Flamingo plugin to be installed and activated.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Jun 18, 2025
Drag and Drop Multiple File Upload – Contact Form 7 # CVE-2025-3515
- CVE, Research URL
- Date
- Jun 17, 2025
- Research Description
- The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types on the affected site's server, which may make remote code execution possible on the servers that are configured to handle .phar files as executable PHP scripts, particularly in default Apache+mod_php configurations where the file extension is not strictly validated before being passed to the PHP interpreter.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable