The plugin does not properly check the value of the input “upload_dir”, which is modifiable by the user. As a result, by changing the value of this input, it’s possible to upload a file anywhere writable in the webserver.
1. Create a contact form and add a “multiple file upload” field. 2. Add the contact form to a page using the contact-form-7
shortcode. 3. Visit the page on the frontend and drag a file into the upload section. 4. Intercept the request and append /../..
to the upload_dir
parameter. 5. See that the file is uploaded outside of the wpcf7_drag-n-drop_uploads
directory.