Plattform
wordpress
Komponente
drag-and-drop-multiple-file-upload-contact-form-7
Behoben in
1.3.9
CVE-2025-2328 is an arbitrary file access vulnerability affecting the Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress. This flaw allows unauthenticated attackers to manipulate file paths, potentially leading to the deletion of critical system files and, in conjunction with the Flamingo plugin, remote code execution. The vulnerability impacts versions 0 through 1.3.8.7, and a patch is available.
The primary impact of CVE-2025-2328 is the ability for an unauthenticated attacker to delete files on a WordPress server. By manipulating file paths, an attacker can target critical system files, including wp-config.php, which contains sensitive database credentials. Successful deletion of wp-config.php can lead to complete compromise of the WordPress installation, allowing the attacker to gain full control over the server. The requirement for the Flamingo plugin to be installed significantly narrows the attack surface, but still represents a substantial risk for systems using both plugins. This vulnerability shares similarities with other file deletion vulnerabilities where insufficient input validation allows attackers to bypass security controls.
CVE-2025-2328 was publicly disclosed on March 28, 2025. There is no indication of this vulnerability being actively exploited at the time of writing. The EPSS score is likely to be medium, given the requirement for the Flamingo plugin and the need for an administrator to manually delete the uploaded file. No public proof-of-concept exploits have been released, but the vulnerability's nature makes it likely that one will emerge. This CVE is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Drag and Drop Multiple File Upload for Contact Form 7 plugin, particularly those with the Flamingo plugin installed, are at significant risk. Shared hosting environments are especially vulnerable, as they often have limited control over plugin updates and server configurations. Legacy WordPress installations running older versions of the plugin are also at heightened risk.
• wordpress / composer / npm:
grep -r 'dnd_remove_uploaded_files' /var/www/html/wp-content/plugins/drag-and-drop-multiple-file-upload-for-contact-form-7/• wordpress / composer / npm:
wp plugin list --status=active | grep 'drag-and-drop-multiple-file-upload-for-contact-form-7'• wordpress / composer / npm:
wp plugin list --status=active | grep 'flamingo'• generic web: Check WordPress plugin directory for updates and security advisories related to 'Drag and Drop Multiple File Upload for Contact Form 7'.
disclosure
Exploit-Status
EPSS
2.88% (86% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-2328 is to upgrade the Drag and Drop Multiple File Upload plugin to a version that addresses the vulnerability. As of the publication date, a patched version is expected but not explicitly stated. If upgrading is not immediately possible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious file paths (e.g., those containing ../). Additionally, restrict file upload permissions and carefully review all uploaded files for malicious content. Regularly scan your WordPress installation for vulnerabilities using a reputable security plugin. After upgrade, confirm functionality by attempting a file upload and deletion through the plugin interface.
Actualice el plugin Drag and Drop Multiple File Upload for Contact Form 7 a la última versión disponible para corregir la vulnerabilidad de eliminación arbitraria de archivos. Esta actualización aborda la falta de validación adecuada de las rutas de los archivos, previniendo que atacantes no autenticados eliminen archivos sensibles en el servidor. Asegúrese de realizar una copia de seguridad completa antes de actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-2328 is a HIGH severity vulnerability allowing attackers to delete files on WordPress sites using the Drag and Drop Multiple File Upload plugin, potentially leading to remote code execution if Flamingo is also installed.
You are affected if your WordPress site uses the Drag and Drop Multiple File Upload plugin version 0–1.3.8.7 and potentially the Flamingo plugin.
Upgrade the Drag and Drop Multiple File Upload plugin to the latest available version. Monitor the vendor's website for the patched version.
While no public exploits are currently known, the vulnerability's ease of exploitation makes it a high-priority concern and potential target.
Check the official Drag and Drop Multiple File Upload plugin website and WordPress plugin directory for security advisories.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.