CVE-2024-12267

Name of the Vulnerable Software and Affected Versions Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress versions up to, and including, 1.3.8.5

Description The issue is related to insufficient file path validation in the dnd codedropz upload delete() function, allowing unauthenticated attackers to delete a limited number of arbitrary files on the server. However, it is not possible to delete critical files such as wp-config.php, which would enable remote code execution (RCE).

Recommendations For versions up to, and including, 1.3.8.5, update to a version higher than 1.3.8.5 to resolve the issue. As a temporary workaround, consider restricting access to the dnd codedropz upload delete() function until a patch is available. Additionally, monitor server logs for suspicious file deletion activity to minimize potential damage.