PT-2026-2983 · WordPress · Drag/Drop Multiple File Upload – Contact Form 7

Angus Girvan

Publicado

2026-01-15

Atualizado

2026-01-23

CVE-2025-14457

CVSS v3.1

7.4

Alta

Vetor

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

Name of the Vulnerable Software and Affected Versions Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress versions up to and including 1.3.9.2

Description The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is susceptible to unauthorized modification of data. This is due to a missing ownership check within the dnd codedropz upload delete() function. This allows unauthenticated attackers to delete arbitrary uploaded files when the "Send attachments as links" setting is enabled.

Recommendations Update to a version beyond 1.3.9.2.

Correção

Missing Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-862

Identificadores relacionados

CVE-2025-14457

Produtos afetados

Drag/Drop Multiple File Upload – Contact Form 7

PT-2026-2983 · WordPress · Drag/Drop Multiple File Upload – Contact Form 7

CVE-2025-14457

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 7