WordPress Plugin Vulnerabilities

Drag and Drop Multiple File Upload – Contact Form 7 < 1.3.7.8 - Sensitive Information Exposure

Description

The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.7.7 via the '/wp-content/uploads/wp_dndcf7_uploads/wpcf7-files' directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via this plugin through a form.

Affects Plugins

Plugin icon
drag-and-drop-multiple-file-upload-contact-form-7
Fixed in 1.3.7.8

References

CVE
CVE-2024-3717
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/153cb585-4eea-4959-85b1-2487be11f116

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Tim Coen
Verified
No
WPVDB ID
5251697d-eb84-4f29-bcc4-bffba65b942b

Timeline

Publicly Published
2024-04-29 (about 2 years ago)
Added
2024-05-03 (about 2 years ago)
Last Updated
2024-05-03 (about 2 years ago)

Other

Published
Title
Published
2026-02-17
Title
Context Blog < 1.2.6 - Unauthenticated Private Post Disclosure
Published
2025-05-07
Title
Mail Mint < 1.17.8 - Unauthenticated Sensitive Information Exposure
Published
2025-11-18
Title
Quiz Maker < 6.7.0.81 - Unauthenticated Sensitive Information Exposure
Published
2026-04-28
Title
Fortis For WooCommerce < 1.3.1 - Sensitive API Key Disclosure
Published
2025-01-07
Title
140+ Widgets | Xpro Addons For Elementor – FREE < 1.4.6.3 - Authenticated (Contributor+) Post Disclosure via Post Duplication