CVE-2023-5822

Name of the Vulnerable Software and Affected Versions Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress versions up to, and including, 1.3.7.3

Description The issue arises from insufficient file type validation in the dnd upload cf7 upload function, allowing unauthenticated attackers to upload arbitrary files to the affected site's server. This could potentially lead to remote code execution. The vulnerability can be exploited if a user with editor privileges or above has added a 'multiple file upload' form field with '*' acceptable file types.

Recommendations For versions up to, and including, 1.3.7.3, update to a version that fixes the insufficient file type validation issue in the dnd upload cf7 upload function to prevent arbitrary file uploads. As a temporary workaround, consider restricting the acceptable file types in the 'multiple file upload' form field to prevent exploitation until a patch is available.