PT-2026-1566 · WordPress · Contact Form 7+1
Andrea Bocchetti
·
Published
2026-01-07
·
Updated
2026-01-07
·
CVE-2025-14842
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress versions prior to 1.3.9.3
Description
The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress allows the upload of potentially dangerous file types, specifically
.phar and .svg files. This is due to the plugin failing to block these file extensions. Successful exploitation could allow unauthenticated attackers to upload malicious files. Uploading .phar files, if the server is configured to execute them as PHP, can lead to remote code execution. Uploading .svg files can result in Stored Cross-Site Scripting. The vulnerable parameters are the file upload functionality within the contact form.Recommendations
Update to version 1.3.9.3 or later.
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Contact Form 7
Drag/Drop Multiple File Upload – Contact Form 7