CVE-2025-13989

The WP Dropzone plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'callback' shortcode attribute in all versions up to, and including, 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied 'callback' attributes, which are evaluated as...

CVE-2025-12775

The WP Dropzone plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 1.1.0 via the ajaxuploadhandle function. This is due to the chunked upload functionality writing files directly to the uploads directory before any file type validation...

EUVD-2025-197938

The WP Dropzone plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 1.1.0 via the ajaxuploadhandle function. This is due to the chunked upload functionality writing files directly to the uploads directory before any file type validation...

PT-2025-47260

Name of the Vulnerable Software and Affected Versions WP Dropzone versions prior to 1.1.1 Description The WP Dropzone plugin for WordPress is susceptible to unauthorized file uploads. Authenticated attackers with subscriber-level access or higher can upload arbitrary files to the server through t...