CVE-2025-2328
Published: 28 March 2025
Summary
CVE-2025-2328 is a high-severity Path Traversal (CWE-22) vulnerability in Codedropz Drag And Drop Multiple File Upload - Contact Form 7. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation through patching the vulnerable Drag and Drop Multiple File Upload plugin beyond version 1.3.8.7.
Prevents path traversal exploitation by enforcing strict validation of file paths in the dnd_remove_uploaded_files function to block arbitrary paths like ../../../../wp-config.php.
Identifies the presence of CVE-2025-2328 in installed WordPress plugins through vulnerability scanning, enabling proactive remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin enables exploitation via T1190; directly facilitates arbitrary file deletion via path traversal in T1070.004.
NVD Description
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'dnd_remove_uploaded_files' function in all versions up to, and including, 1.3.8.7. This makes…
more
it possible for unauthenticated attackers to add arbitrary file paths (such as ../../../../wp-config.php) to uploaded files on the server, which can easily lead to remote code execution when an Administrator deletes the message. Exploiting this vulnerability requires the Flamingo plugin to be installed and activated.
Deeper analysisAI
CVE-2025-2328 affects the Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress, specifically in all versions up to and including 1.3.8.7. The vulnerability stems from insufficient file path validation in the 'dnd_remove_uploaded_files' function, enabling arbitrary file deletion. This issue, classified under CWE-22 (Path Traversal), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2025-03-28.
Unauthenticated attackers can exploit this by uploading files via the plugin and embedding arbitrary file paths, such as ../../../../wp-config.php, into the metadata stored on the server. Exploitation requires the Flamingo plugin to be installed and activated, as it handles message storage and deletion. When an administrator reviews and deletes the contact form message containing the malicious paths, the plugin executes the deletion, potentially allowing attackers to delete critical files and achieve remote code execution.
Advisories, including those from Wordfence, detail the vulnerability and reference a patch in WordPress plugin changeset 3261964. Mitigation involves updating to a patched version beyond 1.3.8.7, as indicated in the plugin's source code changes at line 153 of dnd-upload-cf7.php. Security practitioners should verify Flamingo plugin usage and monitor for unauthorized file uploads in Contact Form 7 submissions.
Details
- CWE(s)