**Name of the Vulnerable Software and Affected Versions:**

Drag and Drop Multiple File Upload for Contact Form 7 versions through 1.3.8.9

**Description:**

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is susceptible to arbitrary file uploads due to inadequate file type validation. This allows unauthenticated attackers to circumvent the plugin’s blacklist and upload potentially dangerous file types, such as `.phar` files, to the affected server. In environments configured to execute `.phar` files as PHP scripts—particularly those using default Apache+mod php configurations—this could lead to remote code execution.

**Recommendations:**

Versions prior to 1.3.8.9 are affected.

At the moment, there is no information about a newer version that contains a fix for this vulnerability.