CVE-2025-2485

Name of the Vulnerable Software and Affected Versions Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress versions up to, and including, 1.3.8.7

Description The issue allows for PHP Object Injection via deserialization of untrusted input from the dnd upload cf7 upload function, making it possible for attackers to inject a PHP Object through a PHAR file. This vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code. The vulnerability can be exploited by unauthenticated attackers when a form is present on the site with the file upload action, and the Flamingo plugin must be installed and activated.

Recommendations For versions up to, and including, 1.3.8.7, consider disabling the dnd upload cf7 upload function until a patch is available to prevent PHP Object Injection. Restrict access to the file upload action in forms to minimize the risk of exploitation. Ensure the Flamingo plugin is not installed or is deactivated to reduce the potential impact of this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.