Drag and Drop Multiple File Upload PRO – Contact Form 7 with Remote Storage Integrations < 5.0.6.3 – Path Traversal | CVE 2023-1112 | Plugin Vulnerabilities

Description

The plugin does not properly check the value of the input "upload_dir", which is modifiable by the user. As a result, by changing the value of this input, it's possible to upload a file anywhere writable in the webserver.

Proof of Concept

1. Create a contact form and add a "multiple file upload" field.
2. Add the contact form to a page using the `contact-form-7` shortcode.
3. Visit the page on the frontend and drag a file into the upload section.
4. Intercept the request and append `/../..` to the `upload_dir` parameter.
5. See that the file is uploaded outside of the `wpcf7_drag-n-drop_uploads` directory.

Affects Plugins

drag-n-drop-upload-cf7-pro

Fixed in 5.0.6.3

References

CVE

Classification

Type

TRAVERSAL

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Nicholas Ferreira

Submitter

Nicholas Ferreira

Submitter website

https://n.0x7359.com

Verified

Yes

WPVDB ID

5d4440f6-d47e-478d-9901-cc25ea5af631

Timeline

Publicly Published

2023-03-08 (about 3 years ago)

Added

2023-03-09 (about 3 years ago)

Last Updated

2023-03-21 (about 3 years ago)

Other

Published

Title

Published

2021-07-05

Title

Haxcan <= 1.0.0 - Arbitrary File Access

Published

2025-09-03

Title

atec Debug < 1.2.23 - Admin+ Arbitrary File Deletion

Published

2015-09-30

Title

mTheme Unus < 2.3 - Directory Traversal

Published

2021-08-23

Title

OMGF < 4.5.4 - Unauthenticated Path Traversal in REST API

Published

2019-03-07

Title

Caldera Forms Pro < 1.8.2 - Unauthenticated Arbitrary File Read