CVE-2025-8464: Directory Traversal in Contact Form 7 Plugin
Platform
wordpress
Component
drag-and-drop-multiple-file-upload-contact-form-7
Fixed in
1.3.10
CVE-2025-8464 describes a Directory Traversal vulnerability discovered in the Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress. This flaw allows unauthenticated attackers to potentially upload and delete files outside the plugin's designated upload directory, although file type validation and restricted deletion scope limit the immediate impact. The vulnerability affects versions from 0.0.0 up to and including 1.3.9.0, and a patch is expected to be released by the plugin maintainers.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
Successful exploitation of CVE-2025-8464 could allow an attacker to upload malicious files to the WordPress server, potentially leading to code execution or other unauthorized actions. While file type validation is in place, bypassing this validation or exploiting other vulnerabilities in the uploaded file could still lead to a compromise. The ability to delete files, even limited to the plugin's upload folder, could disrupt functionality or be used as a stepping stone for further attacks. The vulnerability's reliance on the wpcf7guestuser_id cookie means that an attacker does not need to authenticate to exploit it, making it a relatively easy target.
Exploitation Context
CVE-2025-8464 was publicly disclosed on 2025-08-16. Currently, there are no known public proof-of-concept exploits available. The vulnerability's relatively simple nature and lack of authentication requirements suggest a moderate probability of exploitation (medium EPSS score). Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Threat Intelligence
Exploit Status
EPSS
0.93% (76% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- None — no confidentiality impact. Attacker cannot read protected data.
- Integrity
- Low — attacker can modify some data with limited scope or impact.
- Availability
- None — no availability impact. Service remains fully operational.
Affected Software
Package Information
- Active installs
- 60KKnown
- Plugin rating
- 4.8
- Requires WordPress
- 3.0.1+
- Compatible up to
- 6.9.4
- Requires PHP
- 5.2.4+
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2025-8464 is to upgrade the Drag and Drop Multiple File Upload for Contact Form 7 plugin to a version that addresses the vulnerability. Until a patch is available, consider disabling the plugin entirely if it is not essential. As a temporary workaround, restrict write access to the plugin's upload directory using file system permissions or a web application firewall (WAF). Monitor the wpcf7guestuser_id cookie for unusual values or patterns that might indicate an attempted exploit.
How to fix
Update the 'Drag and Drop Multiple File Upload for Contact Form 7' plugin to a version later than 1.3.9.0 to mitigate the Directory Traversal vulnerability. Check the plugin page on wordpress.org for the latest version available and upgrade instructions. Consider implementing additional security measures, such as restricting write permissions on the uploads directory.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2025-8464 — Directory Traversal in Drag and Drop Multiple File Upload for Contact Form 7?
CVE-2025-8464 is a Directory Traversal vulnerability affecting versions 0.0.0–1.3.9.0 of the Drag and Drop Multiple File Upload for Contact Form 7 plugin, allowing unauthorized file access.
Am I affected by CVE-2025-8464 in Drag and Drop Multiple File Upload for Contact Form 7?
If you are using the Drag and Drop Multiple File Upload for Contact Form 7 plugin in versions 0.0.0 through 1.3.9.0, you are potentially affected by this vulnerability.
How do I fix CVE-2025-8464 in Drag and Drop Multiple File Upload for Contact Form 7?
Upgrade the plugin to a patched version as soon as it becomes available. Disable the plugin as a temporary workaround until a patch is released.
Is CVE-2025-8464 being actively exploited?
Currently, there are no confirmed reports of active exploitation, but the vulnerability's characteristics suggest a potential for exploitation.
Where can I find the official Drag and Drop Multiple File Upload for Contact Form 7 advisory for CVE-2025-8464?
Refer to the plugin developer's website or WordPress.org plugin repository for the latest advisory and patch information.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.