๐Ÿ” CVE Alert

CVE-2025-8464

MEDIUM 5.3

Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.0 - Directory Traversal via `wpcf7_guest_user_id` Cookie

CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.3.9.0 via the wpcf7_guest_user_id cookie. This makes it possible for unauthenticated attackers to upload and delete files outside of the originally intended directory. The impact of this vulnerability is limited, as file types are validated and only safe ones can be uploaded, while deletion is limited to the plugin's uploads folder.

CWE CWE-23
Vendor glenwpcoder
Product drag and drop multiple file upload for contact form 7
Published Aug 16, 2025
Last Updated Apr 8, 2026
Stay Ahead of the Next One

Get instant alerts for glenwpcoder drag and drop multiple file upload for contact form 7

Be the first to know when new medium vulnerabilities affecting glenwpcoder drag and drop multiple file upload for contact form 7 are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

glenwpcoder / Drag and Drop Multiple File Upload for Contact Form 7
0 โ‰ค 1.3.9.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/17f7be7f-f675-4c9f-a7b3-525a3c3c5775?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.0/inc/dnd-upload-cf7.php#L1018 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.0/inc/dnd-upload-cf7.php#L1050 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.0/inc/dnd-upload-cf7.php#L77 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3344512%40drag-and-drop-multiple-file-upload-contact-form-7&new=3344512%40drag-and-drop-multiple-file-upload-contact-form-7&sfp_email=&sfph_mail=

Credits

Thien Tran