CVE-2025-2485
Published: 28 March 2025
Summary
CVE-2025-2485 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Codedropz Drag And Drop Multiple File Upload - Contact Form 7. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation ensures the vulnerable Drag and Drop Multiple File Upload plugin is patched to version 1.3.8.8 or later, eliminating the PHP object injection via deserialization.
Information input validation on file uploads rejects malicious PHAR files before deserialization in the dnd_upload_cf7_upload function, directly preventing object injection.
Information input restrictions limit file upload forms to safe types and extensions, blocking PHAR files required to trigger the object injection vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is a remote unauthenticated exploit in public-facing WordPress plugin enabling T1190; deserialization leads to arbitrary code execution facilitating T1059.
NVD Description
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8.7 via deserialization of untrusted input from the 'dnd_upload_cf7_upload' function. This makes it…
more
possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with the file upload action. The Flamingo plugin must be installed and activated in order to exploit the vulnerability. The vulnerability was partially patched in version 1.3.8.8.
Deeper analysisAI
CVE-2025-2485 is a PHP Object Injection vulnerability affecting the Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress in all versions up to and including 1.3.8.7. The issue stems from deserialization of untrusted input in the 'dnd_upload_cf7_upload' function, enabling attackers to inject a PHP Object via a PHAR file. It is classified under CWE-502 with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
Unauthenticated attackers can exploit this vulnerability when a Contact Form 7 form with file upload capability is present on the site and the Flamingo plugin is installed and activated. By uploading a malicious PHAR file, attackers can trigger object injection, but the vulnerability has no practical impact without a Property-Oriented Programming (POP) chain present in the vulnerable software itself. If a POP chain exists via another installed plugin or theme, exploitation could lead to actions such as deleting arbitrary files, retrieving sensitive data, or executing arbitrary code, depending on the chain.
Wordfence advisories and WordPress plugin trac references indicate the vulnerability was partially patched in version 1.3.8.8, with relevant code changes documented in changesets 3261964 and 3288132, particularly around lines 25 and 844 in dnd-upload-cf7.php. Security practitioners should update to at least version 1.3.8.8 and review co-installed plugins for potential POP chains.
Details
- CWE(s)