CVE-2025-3515

Name of the Vulnerable Software and Affected Versions Drag and Drop Multiple File Upload for Contact Form 7 versions 1.3.8.9 and earlier

Description The issue is related to insufficient file type validation, allowing unauthenticated attackers to bypass the plugin's blacklist and upload dangerous file types, such as .phar files, to the affected site's server. This may lead to remote code execution on servers configured to handle .phar files as executable PHP scripts, particularly in default Apache+mod php configurations.

Recommendations For versions 1.3.8.9 and earlier, update to a version later than 1.3.8.9 to resolve the issue. As a temporary workaround, consider restricting access to the dnd-upload-cf7.php file or disabling the Drag and Drop Multiple File Upload for Contact Form 7 plugin until a patch is available. Additionally, restrict the upload of .phar and other dangerous file types to minimize the risk of exploitation.