PT-2023-16859 · WordPress · Drag/Drop Multiple File Upload Pro - Contact Form 7 Standard+1
Alex Sanford
·
Published
2023-03-21
·
Updated
2023-04-25
·
CVE-2023-1282
CVSS v2.0
6.4
Medium
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard WordPress plugin versions prior to 2.11.1
Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations WordPress plugin versions prior to 5.0.6.4
Description
The issue is related to a Reflected Cross-Site Scripting that could be used against high-privilege users such as admins. This occurs because a parameter is not properly sanitised and escaped before being outputted back in the page.
Recommendations
For Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard WordPress plugin versions prior to 2.11.1, update to version 2.11.1 or later.
For Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations WordPress plugin versions prior to 5.0.6.4, update to version 5.0.6.4 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Drag/Drop Multiple File Upload Pro - Contact Form 7 Standard
Drag/Drop Multiple File Upload Pro - Contact Form 7 With Remote Storage Integrations