CVE-2025-2485
Published: 28 March 2025
Summary
CVE-2025-2485 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Codedropz Drag And Drop Multiple File Upload - Contact Form 7. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in versions through 1.3.8.7. The flaw stems from unsafe deserialization of untrusted input in the dnd_upload_cf7_upload function, which accepts a PHAR file. No POP chain exists inside the plugin itself, so the issue produces no direct impact unless another installed plugin or theme supplies a usable chain. The vulnerability carries a CVSS 3.1 score of 7.5 and is tracked as CWE-502.
Unauthenticated attackers can exploit the weakness when a Contact Form 7 form containing the file-upload action is present on the site and the Flamingo plugin is also installed and active. Successful exploitation may permit deletion of arbitrary files, disclosure of sensitive data, or arbitrary code execution, depending on the POP chain supplied by other components.
The vendor partially addressed the issue in version 1.3.8.8. Public changesets on the WordPress plugin repository and the Wordfence advisory document the code modifications that limit deserialization of untrusted PHAR input.
EPSS for the CVE rose from a low baseline to a recorded peak of 0.0359, indicating increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8552
Vulnerability details
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8.7 via deserialization of untrusted input from the 'dnd_upload_cf7_upload' function. This makes it…
more
possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with the file upload action. The Flamingo plugin must be installed and activated in order to exploit the vulnerability. The vulnerability was partially patched in version 1.3.8.8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is a remote unauthenticated exploit in public-facing WordPress plugin enabling T1190; deserialization leads to arbitrary code execution facilitating T1059.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation ensures the vulnerable Drag and Drop Multiple File Upload plugin is patched to version 1.3.8.8 or later, eliminating the PHP object injection via deserialization.
Information input validation on file uploads rejects malicious PHAR files before deserialization in the dnd_upload_cf7_upload function, directly preventing object injection.
Information input restrictions limit file upload forms to safe types and extensions, blocking PHAR files required to trigger the object injection vulnerability.