Ultimate Addons for Contact Form 7 < 3.5.13 – Authenticated (Administrator+) Arbitrary File Upload via 'save_options' | CVE 2025-6220 | Plugin Vulnerabilities

Description

The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions up to, and including, 3.5.12. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

ultimate-addons-for-contact-form-7

Fixed in 3.5.13

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/697f3432-63b7-42d6-b188-812165cd2020

Miscellaneous

Original Researcher

Ryan Kozak

Verified

No

WPVDB ID

05df61cd-e342-4149-817b-a8660f04f5ad

Timeline

Publicly Published

2025-06-17 (about 11 months ago)

Added

2025-06-17 (about 11 months ago)

Last Updated

2025-06-18 (about 11 months ago)

Other

Published

Title

Published

2024-10-17

Title

WP REST API FNS <= 1.0.0 - Unauthenticated Arbitrary File Upload

Published

2024-11-05

Title

WP JobSearch < 2.6.8 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2024-11-25

Title

Booking calendar, Appointment Booking System < 3.2.16 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload

Published

2011-02-17

Title

User Photo - Component Remote File Upload

Published

2025-03-06

Title

Solace Extra < 1.3.1 - Subscriber+ Arbitrary File Upload