PT-2026-1566 · WordPress · Contact Form 7+1
Andrea Bocchetti
·
Publicado
2026-01-07
·
Atualizado
2026-01-07
·
CVE-2025-14842
CVSS v3.1
6.1
Média
| Vetor | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress versions prior to 1.3.9.3
Description
The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress allows the upload of potentially dangerous file types, specifically
.phar and .svg files. This is due to the plugin failing to block these file extensions. Successful exploitation could allow unauthenticated attackers to upload malicious files. Uploading .phar files, if the server is configured to execute them as PHP, can lead to remote code execution. Uploading .svg files can result in Stored Cross-Site Scripting. The vulnerable parameters are the file upload functionality within the contact form.Recommendations
Update to version 1.3.9.3 or later.
Correção
Unrestricted File Upload
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Contact Form 7
Drag/Drop Multiple File Upload – Contact Form 7