CVE-2025-1028

Name of the Vulnerable Software and Affected Versions Contact Manager plugin for WordPress versions up to, and including, 8.6.4

Description The Contact Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the contact form upload feature. This allows unauthenticated attackers to upload arbitrary files on the affected site's server, which may make remote code execution possible in specific configurations where the first extension is processed over the final. The vulnerability also requires successfully exploiting a race condition in order to exploit.

Recommendations For versions up to, and including, 8.6.4, update to a version that includes the fix for the arbitrary file upload vulnerability. As a temporary workaround, consider disabling the contact form upload feature until a patch is available. Restrict access to the upload feature to minimize the risk of exploitation. Avoid using the contact form upload feature in configurations where the first extension is processed over the final until the issue is resolved.