Cyber Resilience

CVE-2025-2485

HighRCE

Published: 28 March 2025

Published
28 March 2025
Modified
12 August 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0180 83.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2485 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Codedropz Drag And Drop Multiple File Upload - Contact Form 7. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in versions through 1.3.8.7. The flaw stems from unsafe deserialization of untrusted input in the dnd_upload_cf7_upload function, which accepts a PHAR file. No POP chain exists inside the plugin itself, so the issue produces no direct impact unless another installed plugin or theme supplies a usable chain. The vulnerability carries a CVSS 3.1 score of 7.5 and is tracked as CWE-502.

Unauthenticated attackers can exploit the weakness when a Contact Form 7 form containing the file-upload action is present on the site and the Flamingo plugin is also installed and active. Successful exploitation may permit deletion of arbitrary files, disclosure of sensitive data, or arbitrary code execution, depending on the POP chain supplied by other components.

The vendor partially addressed the issue in version 1.3.8.8. Public changesets on the WordPress plugin repository and the Wordfence advisory document the code modifications that limit deserialization of untrusted PHAR input.

EPSS for the CVE rose from a low baseline to a recorded peak of 0.0359, indicating increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8.7 via deserialization of untrusted input from the 'dnd_upload_cf7_upload' function. This makes it…

more

possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with the file upload action. The Flamingo plugin must be installed and activated in order to exploit the vulnerability. The vulnerability was partially patched in version 1.3.8.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Vulnerability is a remote unauthenticated exploit in public-facing WordPress plugin enabling T1190; deserialization leads to arbitrary code execution facilitating T1059.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-12267Same product: Codedropz Drag And Drop Multiple File Upload - Contact Form 7
CVE-2025-2328Same product: Codedropz Drag And Drop Multiple File Upload - Contact Form 7
CVE-2025-14457Same product class: WordPress / CMS plugin
CVE-2024-13921Same product class: WordPress / CMS plugin
CVE-2025-1913Same product class: WordPress / CMS plugin
CVE-2024-11465Same product class: WordPress / CMS plugin
CVE-2024-13831Same product class: WordPress / CMS plugin
CVE-2024-13472Same product class: WordPress / CMS plugin
CVE-2026-29782Shared CWE-502
CVE-2026-42778Shared CWE-502

Affected Assets

codedropz
drag and drop multiple file upload - contact form 7
≤ 1.3.8.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation ensures the vulnerable Drag and Drop Multiple File Upload plugin is patched to version 1.3.8.8 or later, eliminating the PHP object injection via deserialization.

prevent

Information input validation on file uploads rejects malicious PHAR files before deserialization in the dnd_upload_cf7_upload function, directly preventing object injection.

prevent

Information input restrictions limit file upload forms to safe types and extensions, blocking PHAR files required to trigger the object injection vulnerability.

References