Skip to main content

PHP EUVD-2025-18492

| CVE-2025-3515 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2025-06-17 security@wordfence.com
WordPress PHP RCE Code Injection Drag And Drop Multiple File Upload Contact Form 7
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Mar 14, 2026 - 22:15 euvd
EUVD-2025-18492
Analysis Generated
Mar 14, 2026 - 22:15 vuln.today
Patch released
Mar 14, 2026 - 22:15 nvd
Patch available
CVE Published
Jun 17, 2025 - 10:15 nvd
HIGH 8.1

DescriptionCVE.org

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types on the affected site's server, which may make remote code execution possible on the servers that are configured to handle .phar files as executable PHP scripts, particularly in default Apache+mod_php configurations where the file extension is not strictly validated before being passed to the PHP interpreter.

AnalysisAI

The Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin (versions ≤1.3.8.9) contains an unrestricted file upload vulnerability allowing unauthenticated attackers to bypass file type blacklists and upload dangerous file extensions (.phar, etc.). On servers configured to execute .phar files as PHP (common in default Apache+mod_php setups), this enables remote code execution with high impact to confidentiality, integrity, and availability (CVSS 8.1). While KEV and EPSS data are not provided, the vulnerability is actively exploitable given its public disclosure and network-accessible attack vector.

Technical ContextAI

This vulnerability stems from CWE-434 (Unrestricted Upload of File with Dangerous Type), a fundamental file upload validation flaw. The plugin implements a blacklist-based approach to filter dangerous file types, but the implementation is insufficient—likely checking only against a limited set of extensions while failing to account for alternate executable formats like .phar (PHP Archive files). On Apache servers with mod_php enabled, the PHP interpreter processes .phar files as executable PHP code by default, converting a file upload vulnerability into arbitrary code execution. The attack is possible because: (1) the plugin does not use a strict whitelist of safe extensions; (2) it lacks proper Content-Type validation; (3) it does not disable script execution in upload directories via .htaccess or equivalent; and (4) it does not implement file permission restrictions or sandboxing. Contact Form 7 is one of WordPress's most widely deployed plugins, making integrations like this file upload add-on high-value attack targets.

RemediationAI

Immediate Actions: (1) Update the Drag and Drop Multiple File Upload for Contact Form 7 plugin to version 1.3.9.0 or later, which should include corrected file type validation logic; (2) If an immediate patch is unavailable, disable the plugin entirely until a patched version is released; (3) Review and remove any suspicious files uploaded via the affected form fields, particularly .phar, .php, .phtml, .php3, .php4, .php5, .pht, and other PHP-executable extensions. Longer-term Mitigations: (1) Implement a strict whitelist of allowed file types (e.g., .pdf, .doc, .docx, .jpg, .png) rather than relying on blacklists; (2) Add .htaccess rule to prevent script execution in upload directories: <FilesMatch "\.ph(p[3-6]?|tml|ar)"> with Deny from all; (3) Store uploaded files outside the web root if possible; (4) Configure PHP to disable execution of uploaded files via php.ini settings; (5) Implement server-level Content-Type validation. Contact the plugin developer (WPEverest or relevant maintainer based on WordPress.org plugin repository) for official patch release timeline and advisory.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

EUVD-2025-18492 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy