cleantalk
Vulnerabilities and Security Researches

Drag and Drop Multiple File Upload – Contact Form 7, CVE-2025-14457

CVE, Research URL

CVE-2025-14457

Home page URL

Security reports for Drag and Drop Multiple File Upload – Contact Form 7

Application

Drag and Drop Multiple File Upload – Contact Form 7

Published on
Jan 15, 2026
Research Description
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.9.2. This makes it possible for unauthenticated attackers to delete arbitrary uploaded files when the "Send attachments as links" setting is enabled.
Affected versions
max 1.3.9.3.
Status
vulnerable
Previous vulnerability researches
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2025-3515) , Jun 18, 2025
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2025-8464) , Aug 16, 2025
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2025-14842) , Jan 28, 2026
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2025-14457) , Jan 28, 2026
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2024-3717) , Jun 07, 2024
New vulnerability
OOPSpam Anti-Spam (CVE-2026-32544) , Mar 31, 2026
NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor (CVE-2026-27042) , Mar 31, 2026
The Conference (CVE-2026-32335) , Mar 31, 2026
WP Booking System – Booking Calendar (CVE-2025-68515) , Mar 31, 2026
UPI QR Code Payment Gateway for WooCommerce (CVE-2025-67969) , Mar 31, 2026