Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.9.3 – Missing Authorization to Unauthenticated File Deletion | CVE 2025-14457 | Plugin Vulnerabilities

Description

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.9.2. This makes it possible for unauthenticated attackers to delete arbitrary uploaded files when the "Send attachments as links" setting is enabled.

Affects Plugins

drag-and-drop-multiple-file-upload-contact-form-7

Fixed in 1.3.9.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1a182243-b24a-4c46-8b65-6b38d8509a51

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

shark3y

Verified

No

WPVDB ID

9f1d46f5-e391-4a40-8eba-1b7908d0aad8

Timeline

Publicly Published

2026-01-14 (about 5 months ago)

Added

2026-01-14 (about 5 months ago)

Last Updated

2026-01-15 (about 5 months ago)

Other

Published

Title

Published

2025-11-12

Title

Gallery Plugin for WordPress – Envira Photo Gallery < 1.12.1 - Missing Authorization to Authenticated (Author+) Multiple Gallery Actions

Published

2025-12-31

Title

Sticky Notes for WP Dashboard < 1.2.5 - Missing Authorization

Published

2024-07-03

Title

One Click Order Re-Order < 1.1.10 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2025-12-15

Title

Auto Featured Image < 4.2.2 - Missing Authorization to Authenticated (Contributor+) Post Thumbnail Modification

Published

2025-01-16

Title

Debug Tool <= 2.2 - Missing Authorization