Platform
wordpress
Component
drag-and-drop-multiple-file-upload-contact-form-7
Fixed in
1.3.9
CVE-2025-2328 is an arbitrary file access vulnerability affecting the Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress. This flaw allows unauthenticated attackers to manipulate file paths, potentially leading to the deletion of critical system files and, in conjunction with the Flamingo plugin, remote code execution. The vulnerability impacts versions 0 through 1.3.8.7, and a patch is available.
The core of the vulnerability lies in insufficient file path validation within the 'dndremoveuploaded_files' function. An attacker can craft malicious file paths, including directory traversal sequences (e.g., ../../../../wp-config.php), to target arbitrary files on the server. While direct remote code execution isn't immediately possible, the ability to delete files, especially sensitive configuration files like wp-config.php, significantly elevates the risk. The presence of the Flamingo plugin exacerbates the impact, as it provides a mechanism (the message deletion feature) for an attacker to trigger the file deletion. Successful exploitation could lead to complete compromise of the WordPress installation, including data theft, website defacement, and further malicious activity.
This vulnerability was publicly disclosed on March 28, 2025. While no public proof-of-concept (PoC) code has been released at the time of writing, the ease of exploitation and the potential for significant impact make it a high-priority concern. It is not currently listed on the CISA KEV catalog, but its severity warrants close monitoring. The vulnerability's reliance on the Flamingo plugin adds a layer of complexity, but the overall risk remains substantial.
Exploit Status
EPSS
2.88% (86% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Drag and Drop Multiple File Upload for Contact Form 7 plugin to a version that addresses this vulnerability. The vendor has not specified a fixed version, so monitor their official channels for updates. As a temporary workaround, if upgrading is not immediately feasible, consider disabling the Flamingo plugin, as it is a necessary component for exploitation. Additionally, implement strict file access controls on the WordPress server to limit the impact of potential file deletions. Review WordPress user permissions to ensure only authorized personnel have administrative access. After upgrading, confirm the fix by attempting to upload and delete files through the plugin, verifying that the file path validation is functioning correctly.
Update the Drag and Drop Multiple File Upload for Contact Form 7 plugin to the latest available version to fix the arbitrary file deletion vulnerability. This update addresses the inadequate file path validation, preventing unauthenticated attackers from deleting sensitive files on the server. Ensure you perform a full backup before updating.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-2328 is a HIGH severity vulnerability allowing attackers to delete files on WordPress sites using the Drag and Drop Multiple File Upload plugin, potentially leading to remote code execution if Flamingo is also installed.
You are affected if your WordPress site uses the Drag and Drop Multiple File Upload plugin version 0–1.3.8.7 and potentially the Flamingo plugin.
Upgrade the Drag and Drop Multiple File Upload plugin to the latest available version. Monitor the vendor's website for the patched version.
While no public exploits are currently known, the vulnerability's ease of exploitation makes it a high-priority concern and potential target.
Check the official Drag and Drop Multiple File Upload plugin website and WordPress plugin directory for security advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.