CVE-2025-2328

Name of the Vulnerable Software and Affected Versions Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress versions up to, and including, 1.3.8.7

Description The issue is related to insufficient file path validation in the dnd remove uploaded files function, allowing unauthenticated attackers to add arbitrary file paths to uploaded files on the server. This can lead to remote code execution when an Administrator deletes the message, but it requires the Flamingo plugin to be installed and activated.

Recommendations For versions up to, and including, 1.3.8.7, consider updating to a version that fixes the issue, as the current version allows for arbitrary file deletion. As a temporary workaround, consider disabling the dnd remove uploaded files function until a patch is available. Restrict access to the file upload feature to minimize the risk of exploitation.