CVE-2025-5746

Name of the Vulnerable Software and Affected Versions: Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress versions 1.7.1 and earlier Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress versions 5.0 through 5.0.5 (when bundled with the PrintSpace theme)

Description: The issue is related to arbitrary file uploads due to missing file type validation in the dnd upload cf7 upload chunks() function. This allows unauthenticated attackers to upload arbitrary files on the affected site's server, potentially making remote code execution possible. Although the execution of PHP is disabled via a .htaccess file, it may still be possible in certain server configurations.

Recommendations: For versions 1.7.1 and earlier, update to a version that includes the fix for the missing file type validation issue. For versions 5.0 through 5.0.5, when bundled with the PrintSpace theme, update to a version that includes the fix for the missing file type validation issue. As a temporary workaround, consider disabling the dnd upload cf7 upload chunks() function until a patch is available. Restrict access to the affected plugin to minimize the risk of exploitation.