cleantalk
Vulnerabilities and Security Researches

Drag and Drop Multiple File Upload – Contact Form 7, CVE-2025-2328

CVE, Research URL

CVE-2025-2328

Home page URL

Security reports for Drag and Drop Multiple File Upload – Contact Form 7

Application

Drag and Drop Multiple File Upload – Contact Form 7

Published on
Mar 28, 2025
Research Description
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'dnd_remove_uploaded_files' function in all versions up to, and including, 1.3.8.7. This makes it possible for unauthenticated attackers to add arbitrary file paths (such as ../../../../wp-config.php) to uploaded files on the server, which can easily lead to remote code execution when an Administrator deletes the message. Exploiting this vulnerability requires the Flamingo plugin to be installed and activated.
Affected versions
Min -, max 1.3.8.8.
Status
vulnerable
Previous vulnerability researches
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2025-3515) , Jun 18, 2025
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2024-3717) , Jun 07, 2024
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2020-12800) , Jun 07, 2024
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2022-0595) , Jun 07, 2024
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2022-3282) , Jun 07, 2024
New vulnerability
WP Employee Attendance System (CVE-2025-28972) , Jun 18, 2025
Wise Chat (CVE-2025-3774) , Jun 18, 2025
WPAdverts – Classifieds Plugin (CVE-2025-49878) , Jun 18, 2025
Brid Video Easy Publish (CVE-2025-5237) , Jun 18, 2025
YITH PayPal Express Checkout for WooCommerce (CVE-2025-48111) , Jun 18, 2025