CVE-2025-8464 Information
Description
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Directory Traversal in all versions up to and including 1.3.9.0 via the wpcf7_guest_user_id cookie. This makes it possible for unauthenticated attackers to upload and delete files outside of the originally intended directory. The impact of this vulnerability is limited as file types are validated and only safe ones can be uploaded while deletion is limited to the plugin’s uploads folder.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Reference
https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.0/inc/dnd-upload-cf7.php#L1018 https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.0/inc/dnd-upload-cf7.php#L1050 https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.0/inc/dnd-upload-cf7.php#L77 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3344512%40drag-and-drop-multiple-file-upload-contact-form-7&new=3344512%40drag-and-drop-multiple-file-upload-contact-form-7&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/17f7be7f-f675-4c9f-a7b3-525a3c3c5775?source=cve
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
NONE
Availability Impact
LOW
Base Score
NONE
Base Severity
5.3
Related CNNVD
CNNVD-202508-1918 (Published: 2025-08-16)
Share on: