🔐 CVE Alert

CVE-2023-5822

HIGH 8.1

Drag and Drop Multiple File Upload - Contact Form 7 <= 1.3.7.3 - Unauthenticated Arbitrary File Upload

CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th

The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if a user authorized to edit form, which means editor privileges or above, has added a 'multiple file upload' form field with '*' acceptable file types.

CWE CWE-434
Vendor glenwpcoder
Product drag and drop multiple file upload for contact form 7
Published Nov 22, 2023
Last Updated Apr 8, 2026
Stay Ahead of the Next One

Get instant alerts for glenwpcoder drag and drop multiple file upload for contact form 7

Be the first to know when new high vulnerabilities affecting glenwpcoder drag and drop multiple file upload for contact form 7 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

glenwpcoder / Drag and Drop Multiple File Upload for Contact Form 7
0 ≤ 1.3.7.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/1b3be300-5b7f-4844-8637-1bb8c939ed4c?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.7.2/inc/dnd-upload-cf7.php#L828 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.7.2/inc/dnd-upload-cf7.php#L855 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.7.2/inc/dnd-upload-cf7.php#L904 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2987252%40drag-and-drop-multiple-file-upload-contact-form-7%2Ftrunk&old=2968538%40drag-and-drop-multiple-file-upload-contact-form-7%2Ftrunk&sfp_email=&sfph_mail=

Credits

István Márton