CVE-2025-2328
Published: 28 March 2025
Summary
CVE-2025-2328 is a high-severity Path Traversal (CWE-22) vulnerability in Codedropz Drag And Drop Multiple File Upload - Contact Form 7. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion stemming from insufficient file path validation in the dnd_remove_uploaded_files function. The flaw affects all versions through 1.3.8.7 and is tracked as CWE-22 path traversal; successful exploitation also requires the Flamingo plugin to be installed and active.
Unauthenticated attackers can supply crafted file paths such as ../../../../wp-config.php when uploads are processed. When an administrator later deletes the associated contact message, the supplied paths are followed, enabling deletion of arbitrary files that can culminate in remote code execution on the server.
Public references point to a patched version released in changeset 3261964 and to the Wordfence threat-intel entry that details the issue and remediation steps; site operators are advised to update the plugin promptly.
EPSS for the CVE rose from a low baseline to a peak of 0.0503 on 2026-05-06 before receding to the current value of 0.0173, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8553
Vulnerability details
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'dnd_remove_uploaded_files' function in all versions up to, and including, 1.3.8.7. This makes…
more
it possible for unauthenticated attackers to add arbitrary file paths (such as ../../../../wp-config.php) to uploaded files on the server, which can easily lead to remote code execution when an Administrator deletes the message. Exploiting this vulnerability requires the Flamingo plugin to be installed and activated.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin enables exploitation via T1190; directly facilitates arbitrary file deletion via path traversal in T1070.004.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely remediation through patching the vulnerable Drag and Drop Multiple File Upload plugin beyond version 1.3.8.7.
Prevents path traversal exploitation by enforcing strict validation of file paths in the dnd_remove_uploaded_files function to block arbitrary paths like ../../../../wp-config.php.
Identifies the presence of CVE-2025-2328 in installed WordPress plugins through vulnerability scanning, enabling proactive remediation.