Drag and Drop Multiple File Upload – Contact Form 7 < 1.3.7.4 – Unauthenticated Arbitrary File Upload | CVE 2023-5822 | Plugin Vulnerabilities

Description

The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if a user authorized to edit form, which means editor privileges or above, has added a 'multiple file upload' form field with '*' acceptable file types.

Affects Plugins

drag-and-drop-multiple-file-upload-contact-form-7

Fixed in 1.3.7.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1b3be300-5b7f-4844-8637-1bb8c939ed4c

Miscellaneous

Original Researcher

István Márton

Verified

No

WPVDB ID

d758ce63-73fb-46a6-9cc7-c114db2e2512

Timeline

Publicly Published

2023-11-01 (about 2 years ago)

Added

2023-11-24 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2024-05-14

Title

Copymatic – AI Content Writer & Generator < 1.7 - Unauthenticated Arbitrary File Upload

Published

2025-07-14

Title

Custom User Registration Fields for WooCommerce <= 2.1.2 - Unauthenticated Arbitrary File Upload

Published

2025-08-04

Title

WP Import Export Lite < 3.9.30 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2025-03-07

Title

SMTP by BestWebSoft < 1.2.0 - Authenticated (Administrator+) Arbitrary File Upload

Published

2014-08-01

Title

Asset Manager 0.2 - Arbitrary File Upload