cleantalk
Vulnerabilities and Security Researches

Drag and Drop Multiple File Upload – Contact Form 7, CVE-2024-12267

CVE, Research URL

CVE-2024-12267

Home page URL

Security reports for Drag and Drop Multiple File Upload – Contact Form 7

Application

Drag and Drop Multiple File Upload – Contact Form 7

Published on
Jan 31, 2025
Research Description
The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited arbitrary file deletion due to insufficient file path validation in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.8.5. This makes it possible for unauthenticated attackers to delete limited arbitrary files on the server. It is not possible to delete files like wp-config.php that would make RCE possible.
Affected versions
Min -, max 1.3.8.6.
Status
vulnerable
Previous vulnerability researches
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2025-3515) , Jun 18, 2025
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2024-3717) , Jun 07, 2024
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2020-12800) , Jun 07, 2024
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2022-0595) , Jun 07, 2024
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2022-3282) , Jun 07, 2024
New vulnerability
Wise Chat (CVE-2025-3774) , Jun 18, 2025
WPAdverts – Classifieds Plugin (CVE-2025-49878) , Jun 18, 2025
Brid Video Easy Publish (CVE-2025-5237) , Jun 18, 2025
YITH PayPal Express Checkout for WooCommerce (CVE-2025-48111) , Jun 18, 2025
WordPress Infinite Scroll – Ajax Load More (CVE-2025-4775) , Jun 18, 2025