cleantalk
Vulnerabilities and Security Researches

Drag and Drop Multiple File Upload – Contact Form 7, CVE-2023-5822

CVE, Research URL

CVE-2023-5822

Home page URL

Security reports for Drag and Drop Multiple File Upload – Contact Form 7

Application

Drag and Drop Multiple File Upload – Contact Form 7

Published on
Nov 22, 2023
Research Description
The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if a user authorized to edit form, which means editor privileges or above, has added a 'multiple file upload' form field with '*' acceptable file types.
Affected versions
Min -, max 1.3.7.4.
Status
vulnerable
Previous vulnerability researches
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2025-3515) , Jun 18, 2025
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2024-3717) , Jun 07, 2024
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2020-12800) , Jun 07, 2024
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2022-0595) , Jun 07, 2024
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2022-3282) , Jun 07, 2024
New vulnerability
WP Employee Attendance System (CVE-2025-28972) , Jun 18, 2025
Wise Chat (CVE-2025-3774) , Jun 18, 2025
WPAdverts – Classifieds Plugin (CVE-2025-49878) , Jun 18, 2025
Brid Video Easy Publish (CVE-2025-5237) , Jun 18, 2025
YITH PayPal Express Checkout for WooCommerce (CVE-2025-48111) , Jun 18, 2025