WordPress Plugin Vulnerabilities

Drag and Drop Multiple File Upload – Contact Form 7 < 1.3.8.6 - Limited Arbitrary File Deletion

Description

The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited arbitrary file deletion due to insufficient file path validation in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.8.5. This makes it possible for unauthenticated attackers to delete limited arbitrary files on the server. It is not possible to delete files like wp-config.php that would make RCE possible.

Affects Plugins

Plugin icon
drag-and-drop-multiple-file-upload-contact-form-7
Fixed in 1.3.8.6

References

CVE
CVE-2024-12267
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/00ec7251-3be1-411a-b38e-1782d1691e18

Classification

Type
FILE DELETION
OWASP top 10
A6: Security Misconfiguration
CWE
CWE-73
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
theviper17y
Verified
No
WPVDB ID
7f1e23a6-5509-4923-ade1-217ebe87bcf1

Timeline

Publicly Published
2025-01-30 (about 1 year ago)
Added
2025-01-30 (about 1 year ago)
Last Updated
2025-01-31 (about 1 year ago)

Other

Published
Title
Published
2025-11-24
Title
AI Engine for WordPress: ChatGPT, GPT Content Generator <= 1.0.1 - Authenticated (Contributor+) Arbitrary File Read
Published
2022-03-16
Title
iQ Block Country < 1.2.13 - Admin+ Arbitrary File Deletion via Zip Slip
Published
2025-12-11
Title
WP User Manager < 2.9.13 - Authenticated (Subscriber+) Arbitrary File Deletion via 'current_user_avatar' Parameter
Published
2025-03-21
Title
Export and Import Users and Customers < 2.6.3 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function
Published
2025-12-17
Title
Frontend File Manager < 23.5 - Subscriber+ Arbitrary File Deletion