Cyber Resilience

CVE-2025-2328

High

Published: 28 March 2025

Published
28 March 2025
Modified
12 August 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0173 82.9th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2328 is a high-severity Path Traversal (CWE-22) vulnerability in Codedropz Drag And Drop Multiple File Upload - Contact Form 7. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion stemming from insufficient file path validation in the dnd_remove_uploaded_files function. The flaw affects all versions through 1.3.8.7 and is tracked as CWE-22 path traversal; successful exploitation also requires the Flamingo plugin to be installed and active.

Unauthenticated attackers can supply crafted file paths such as ../../../../wp-config.php when uploads are processed. When an administrator later deletes the associated contact message, the supplied paths are followed, enabling deletion of arbitrary files that can culminate in remote code execution on the server.

Public references point to a patched version released in changeset 3261964 and to the Wordfence threat-intel entry that details the issue and remediation steps; site operators are advised to update the plugin promptly.

EPSS for the CVE rose from a low baseline to a peak of 0.0503 on 2026-05-06 before receding to the current value of 0.0173, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'dnd_remove_uploaded_files' function in all versions up to, and including, 1.3.8.7. This makes…

more

it possible for unauthenticated attackers to add arbitrary file paths (such as ../../../../wp-config.php) to uploaded files on the server, which can easily lead to remote code execution when an Administrator deletes the message. Exploiting this vulnerability requires the Flamingo plugin to be installed and activated.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Vulnerability in public-facing WordPress plugin enables exploitation via T1190; directly facilitates arbitrary file deletion via path traversal in T1070.004.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-12267Same product: Codedropz Drag And Drop Multiple File Upload - Contact Form 7
CVE-2025-2485Same product: Codedropz Drag And Drop Multiple File Upload - Contact Form 7
CVE-2025-14457Same product class: WordPress / CMS plugin
CVE-2025-7360Same product class: WordPress / CMS plugin
CVE-2025-1661Same product class: WordPress / CMS plugin
CVE-2024-13545Same product class: WordPress / CMS plugin
CVE-2025-7341Same product class: WordPress / CMS plugin
CVE-2025-22786Same product class: WordPress / CMS plugin
CVE-2026-3666Shared CWE-22
CVE-2018-25308Shared CWE-22

Affected Assets

codedropz
drag and drop multiple file upload - contact form 7
≤ 1.3.8.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely remediation through patching the vulnerable Drag and Drop Multiple File Upload plugin beyond version 1.3.8.7.

prevent

Prevents path traversal exploitation by enforcing strict validation of file paths in the dnd_remove_uploaded_files function to block arbitrary paths like ../../../../wp-config.php.

detect

Identifies the presence of CVE-2025-2328 in installed WordPress plugins through vulnerability scanning, enabling proactive remediation.

References