Plataforma
wordpress
Componente
drag-and-drop-multiple-file-upload-contact-form-7
Corrigido em
1.3.10
CVE-2025-8464 describes a Directory Traversal vulnerability discovered in the Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress. This flaw allows unauthenticated attackers to potentially upload and delete files outside the plugin's designated upload directory, although file type validation and restricted deletion scope limit the immediate impact. The vulnerability affects versions from 0.0.0 up to and including 1.3.9.0, and a patch is expected to be released by the plugin maintainers.
Successful exploitation of CVE-2025-8464 could allow an attacker to upload malicious files to the WordPress server, potentially leading to code execution or other unauthorized actions. While file type validation is in place, bypassing this validation or exploiting other vulnerabilities in the uploaded file could still lead to a compromise. The ability to delete files, even limited to the plugin's upload folder, could disrupt functionality or be used as a stepping stone for further attacks. The vulnerability's reliance on the wpcf7guestuser_id cookie means that an attacker does not need to authenticate to exploit it, making it a relatively easy target.
CVE-2025-8464 was publicly disclosed on 2025-08-16. Currently, there are no known public proof-of-concept exploits available. The vulnerability's relatively simple nature and lack of authentication requirements suggest a moderate probability of exploitation (medium EPSS score). Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Websites using the Drag and Drop Multiple File Upload for Contact Form 7 plugin, particularly those with limited security controls or shared hosting environments, are at increased risk. Sites that rely on the plugin for sensitive file uploads or have weak cookie security configurations are especially vulnerable.
• wordpress / composer / npm:
grep -r 'wpcf7_guest_user_id' /var/www/html/wp-content/plugins/drag-and-drop-multiple-file-upload-for-contact-form-7/• wordpress / composer / npm:
wp plugin list --status=active | grep 'drag-and-drop-multiple-file-upload-for-contact-form-7'• wordpress / composer / npm:
curl -I http://your-wordpress-site.com/wp-content/plugins/drag-and-drop-multiple-file-upload-for-contact-form-7/ | grep -i 'wpcf7_guest_user_id'disclosure
Status do Exploit
EPSS
0.93% (percentil 76%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-8464 is to upgrade the Drag and Drop Multiple File Upload for Contact Form 7 plugin to a version that addresses the vulnerability. Until a patch is available, consider disabling the plugin entirely if it is not essential. As a temporary workaround, restrict write access to the plugin's upload directory using file system permissions or a web application firewall (WAF). Monitor the wpcf7guestuser_id cookie for unusual values or patterns that might indicate an attempted exploit.
Actualice el plugin 'Drag and Drop Multiple File Upload for Contact Form 7' a una versión posterior a 1.3.9.0 para mitigar la vulnerabilidad de Directory Traversal. Verifique la página del plugin en wordpress.org para obtener la última versión disponible y las instrucciones de actualización. Considere implementar medidas de seguridad adicionales, como restringir los permisos de escritura en el directorio de subidas.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-8464 is a Directory Traversal vulnerability affecting versions 0.0.0–1.3.9.0 of the Drag and Drop Multiple File Upload for Contact Form 7 plugin, allowing unauthorized file access.
If you are using the Drag and Drop Multiple File Upload for Contact Form 7 plugin in versions 0.0.0 through 1.3.9.0, you are potentially affected by this vulnerability.
Upgrade the plugin to a patched version as soon as it becomes available. Disable the plugin as a temporary workaround until a patch is released.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's characteristics suggest a potential for exploitation.
Refer to the plugin developer's website or WordPress.org plugin repository for the latest advisory and patch information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.