Drag And Drop Multiple File Upload Contact Form 7
Monthly
The Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin (versions ≤1.3.8.9) contains an unrestricted file upload vulnerability allowing unauthenticated attackers to bypass file type blacklists and upload dangerous file extensions (.phar, etc.). On servers configured to execute .phar files as PHP (common in default Apache+mod_php setups), this enables remote code execution with high impact to confidentiality, integrity, and availability (CVSS 8.1). While KEV and EPSS data are not provided, the vulnerability is actively exploitable given its public disclosure and network-accessible attack vector.
The Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin (versions ≤1.3.8.9) contains an unrestricted file upload vulnerability allowing unauthenticated attackers to bypass file type blacklists and upload dangerous file extensions (.phar, etc.). On servers configured to execute .phar files as PHP (common in default Apache+mod_php setups), this enables remote code execution with high impact to confidentiality, integrity, and availability (CVSS 8.1). While KEV and EPSS data are not provided, the vulnerability is actively exploitable given its public disclosure and network-accessible attack vector.