CVE-2022-0595
Published: 28 March 2022
Summary
CVE-2022-0595 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Codedropz Drag And Drop Multiple File Upload - Contact Form 7. Its CVSS base score is 5.4 (Medium).
Operationally, ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Drag and Drop Multiple File Upload WordPress plugin before version 1.3.6.3 is affected by a stored cross-site scripting vulnerability tracked as CVE-2022-0595. The flaw stems from the plugin allowing SVG file uploads by default over the dnd_codedropz_upload AJAX action, which fails to sanitize uploaded content and enables persistent script execution when files are later rendered.
An authenticated attacker with low privileges can upload a crafted SVG containing malicious JavaScript. When another user views the uploaded file, the script executes in the victim's browser context, achieving impacts rated at CVSS 5.4 that affect confidentiality and integrity across the site while requiring user interaction.
The linked WordPress plugin changesets and WPScan advisory document that the issue is resolved in version 1.3.6.3 and later by tightening upload restrictions and adding proper file-type validation.
The associated EPSS score rose from a low baseline to a peak of 0.1787 on 2026-02-03 before receding to the current value of 0.0578, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-15702
Vulnerability details
The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.