Drag And Drop Multiple File Upload For Contact Form 7
Monthly
Remote code execution in Drag and Drop Multiple File Upload for Contact Form 7 plugin (WordPress) versions ≤1.3.9.6 allows unauthenticated attackers to upload PHP webshells via dual file validation weaknesses. The plugin's custom blacklist configuration overwrites default protections instead of merging, and non-ASCII filenames bypass the wpcf7_antiscript_file_name() sanitizer. CVSS 8.1 with High attack complexity (AV:N/AC:H/PR:N/UI:N). Wordfence reported; patch released in changeset 3508522. No KEV listing or confirmed public exploitation, but proof-of-concept feasible given detailed vulnerable code references (lines 62, 883, 970, 987).
Path traversal in Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin (versions ≤1.3.9.6) allows unauthenticated remote attackers to read arbitrary files within wp-content/ directory and exfiltrate them via email attachments. The plugin accepts client-supplied mfile[] POST parameters without server-side validation, directly converting user-controlled filenames to filesystem paths. CVSS 7.5 (High) reflects network attack vector with no authentication required. SSVC marks this as automatable with partial technical impact. No active exploitation confirmed (SSVC: exploitation=none), but the attack complexity is low and requires no user interaction, making this a realistic pre-authentication data exposure risk for sites using this plugin.
Remote code execution in Drag and Drop Multiple File Upload for Contact Form 7 plugin (WordPress) versions ≤1.3.9.6 allows unauthenticated attackers to upload PHP webshells via dual file validation weaknesses. The plugin's custom blacklist configuration overwrites default protections instead of merging, and non-ASCII filenames bypass the wpcf7_antiscript_file_name() sanitizer. CVSS 8.1 with High attack complexity (AV:N/AC:H/PR:N/UI:N). Wordfence reported; patch released in changeset 3508522. No KEV listing or confirmed public exploitation, but proof-of-concept feasible given detailed vulnerable code references (lines 62, 883, 970, 987).
Path traversal in Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin (versions ≤1.3.9.6) allows unauthenticated remote attackers to read arbitrary files within wp-content/ directory and exfiltrate them via email attachments. The plugin accepts client-supplied mfile[] POST parameters without server-side validation, directly converting user-controlled filenames to filesystem paths. CVSS 7.5 (High) reflects network attack vector with no authentication required. SSVC marks this as automatable with partial technical impact. No active exploitation confirmed (SSVC: exploitation=none), but the attack complexity is low and requires no user interaction, making this a realistic pre-authentication data exposure risk for sites using this plugin.