WordPress Plugin Vulnerabilities

Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.9.0 - Unauthenticated Arbitrary File Upload via Insufficient Blacklist Checks

Description

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types on the affected site's server, which may make remote code execution possible on the servers that are configured to handle .phar files as executable PHP scripts, particularly in default Apache+mod_php configurations where the file extension is not strictly validated before being passed to the PHP interpreter.

Affects Plugins

Plugin icon
drag-and-drop-multiple-file-upload-contact-form-7
Fixed in 1.3.9.0

References

CVE
CVE-2025-3515
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e1298242-61d2-495e-bae7-96b5e12bd03d

Miscellaneous

Original Researcher
mikemyers
Verified
No
WPVDB ID
c3697bf6-f515-4f59-a3c9-54a8ebdffa83

Timeline

Publicly Published
2025-06-16 (about 1 year ago)
Added
2025-06-16 (about 1 year ago)
Last Updated
2025-06-17 (about 1 year ago)

Other

Published
Title
Published
2014-08-01
Title
CAC Featured Content 0.8 - Shell Upload
Published
2022-12-19
Title
WPtouch < 4.3.45 - Admin+ Arbitrary File Upload
Published
2021-10-06
Title
Access Demo Importer < 1.0.7 - Subscriber+ Arbitrary File Upload
Published
2011-02-17
Title
User Photo - Component Remote File Upload
Published
2024-01-30
Title
WordPress < 6.4.3 - Admin+ PHP File Upload