- Description
- The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'dnd_remove_uploaded_files' function in all versions up to, and including, 1.3.8.7. This makes it possible for unauthenticated attackers to add arbitrary file paths (such as ../../../../wp-config.php) to uploaded files on the server, which can easily lead to remote code execution when an Administrator deletes the message. Exploiting this vulnerability requires the Flamingo plugin to be installed and activated.
- Source
- security@wordfence.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Primary
- Base score
- 8.8
- Impact score
- 5.9
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Severity
- HIGH
- security@wordfence.com
- CWE-22
- Hype score
- Not currently trending
CVE-2025-2328 The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the … https://t.co/GX72zP0XAu
@CVEnew
29 Mar 2025
100 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
�� CVE-2025-2328 - WordPress - HIGH 🚨 🗓️ Date published 2025-03-28 07:15:39 UTC #WordPress #CyberSecurity #InfoSec #Vulnerability #TechNews https://t.co/W5rLyN957f
@vulns_space
28 Mar 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-2328: HIGH] WordPress plugin vulnerable to arbitrary file deletion due to insufficient validation of file paths in the 'dnd_remove_uploaded_files' function. Unauthenticated attackers could exploit to exe...#cybersecurity,#vulnerability https://t.co/6gKk5G0jtK https://t.
@CveFindCom
28 Mar 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes