Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.9.1 – Directory Traversal | CVE 2025-8464 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Directory Traversal via the wpcf7_guest_user_id cookie. This makes it possible for unauthenticated attackers to upload and delete files outside of the originally intended directory. The impact of this vulnerability is limited, as file types are validated and only safe ones can be uploaded, while deletion is limited to the plugin's uploads folder.

Affects Plugins

drag-and-drop-multiple-file-upload-contact-form-7

Fixed in 1.3.9.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/17f7be7f-f675-4c9f-a7b3-525a3c3c5775

Miscellaneous

Original Researcher

Thien Tran

Verified

No

WPVDB ID

354310ed-5632-4cd6-ab82-389a9ad62ae1

Timeline

Publicly Published

2025-08-15 (about 10 months ago)

Added

2025-08-18 (about 10 months ago)

Last Updated

2025-08-18 (about 10 months ago)

Other

Published

Title

Published

2022-03-11

Title

WordPress < 5.9.2 / Gutenberg < 12.7.2 - Prototype Pollution via Gutenberg’s wordpress/url package

Published

2023-10-11

Title

Form Maker < 1.15.21 - Captcha Bypass

Published

2025-10-14

Title

Binary MLM Plan < 5.0 - Unauthenticated Limited Privilege Escalation

Published

2026-04-08

Title

Bookly < 27.1 - Unauthenticated Price Manipulation via 'tips'

Published

2025-02-17

Title

Uncode < 2.9.1.7 - Subscriber+ Arbitrary File Read in uncode_recordMedia