CVE-2023-1112
Published: 01 March 2023
Summary
CVE-2023-1112 is a medium-severity Relative Path Traversal (CWE-23) vulnerability in Codedropz Drag And Drop Multiple File Upload - Contact Form 7. Its CVSS base score is 4.7 (Medium).
Operationally, ranked in the top 3.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A vulnerability exists in the Drag and Drop Multiple File Upload Contact Form 7 plugin version 5.0.6.1 for WordPress. It is present in an unspecified function within the admin-ajax.php file, where manipulation of the upload_name argument permits relative path traversal. The issue is tracked as CWE-23 and CWE-22, carries a CVSS 3.1 score of 4.7, and can be triggered remotely.
An attacker with administrative privileges can exploit the flaw over the network to read or write files outside the intended directory, resulting in limited impacts to confidentiality, integrity, and availability. Public proof-of-concept code has been released, enabling potential use by any party able to reach the affected endpoint.
The EPSS score rose from a low baseline to a peak of 0.3855, indicating emerging exploitation interest after public disclosure. References consist of a GitHub repository containing the exploit details along with Vuldb entries, but no vendor patch or mitigation guidance is provided in the available sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-23398
Vulnerability details
A vulnerability was found in Drag and Drop Multiple File Upload Contact Form 7 5.0.6.1 on WordPress. It has been classified as critical. Affected is an unknown function of the file admin-ajax.php. The manipulation of the argument upload_name leads to…
more
relative path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-222072.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.