CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5822 – Drag and Drop Multiple File Upload - Contact Form 7 <= 1.3.7.3 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-5822
01 Nov 2023 — The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if a user authorized to edit form, which means editor privileges or above, has added a 'multiple ... • https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.7.2/inc/dnd-upload-cf7.php#L828 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4821 – Drag and Drop Multiple File Upload < 1.1.1 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-4821
21 Sep 2023 — The Drag and Drop Multiple File Upload for WooCommerce WordPress plugin before 1.1.1 does not filter all potentially dangerous file extensions. Therefore, an attacker can upload unsafe .shtml or .svg files containing malicious scripts. El complemento Drag and Drop Multiple File Upload para WooCommerce de WordPress anterior a 1.1.1 no filtra todas las extensiones de archivos potencialmente peligrosas. Por lo tanto, un atacante puede cargar archivos .shtml o .svg no seguros que contengan scripts maliciosos. T... • https://wpscan.com/vulnerability/3ac0853b-03f7-44b9-aa9b-72df3e01a9b5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 2CVE-2023-1282 – Drag and Drop Multiple File Upload PRO - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-1282
15 Mar 2023 — The Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard WordPress plugin before 2.11.1 and Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations WordPress plugin before 5.0.6.4 do not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins. The Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard plugin for WordPress is vulnera... • https://wpscan.com/vulnerability/8a9548c5-59ea-46b0-bfa5-a0f7a259351a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2023-1112 – Drag and Drop Multiple File Upload Contact Form 7 admin-ajax.php path traversal
https://notcve.org/view.php?id=CVE-2023-1112
01 Mar 2023 — A vulnerability was found in Drag and Drop Multiple File Upload Contact Form 7 5.0.6.1 on WordPress. It has been classified as critical. Affected is an unknown function of the file admin-ajax.php. The manipulation of the argument upload_name leads to relative path traversal. It is possible to launch the attack remotely. • https://github.com/codeb0ss/CVE-2023-1112-EXP • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45377 – WordPress Drag and Drop Multiple File Upload for WooCommerce Plugin <= 1.0.8 is vulnerable to Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2022-45377
24 Feb 2023 — Unrestricted Upload of File with Dangerous Type vulnerability in Glen Don L. Mongaya Drag and Drop Multiple File Upload for WooCommerce.This issue affects Drag and Drop Multiple File Upload for WooCommerce: from n/a through 1.0.8. Vulnerabilidad de carga de archivos con tipo peligroso sin restricciones en Glen Don L. Mongaya Drag and Drop Multiple File Upload for WooCommerce. Este problema afecta a Drag and Drop Multiple File Upload for WooCommerce: desde n/a hasta 1.0.8. • https://patchstack.com/database/vulnerability/drag-and-drop-multiple-file-upload-for-woocommerce/wordpress-drag-and-drop-multiple-file-upload-for-woocommerce-plugin-1-0-8-multiple-vulnerabilities?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45364 – WordPress Drag and Drop Multiple File Upload – Contact Form 7 Plugin <= 1.3.6.5 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-45364
24 Feb 2023 — Cross-Site Request Forgery (CSRF) vulnerability in Glen Don L. Mongaya Drag and Drop Multiple File Upload – Contact Form 7 plugin <= 1.3.6.5 versions. The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.6.5. This is due to missing or incorrect nonce validation on the dnd_upload_cf7_upload and dnd_codedropz_upload_delete functions. This makes it possible for unauthenticated attackers to upload or delete... • https://patchstack.com/database/vulnerability/drag-and-drop-multiple-file-upload-contact-form-7/wordpress-drag-and-drop-multiple-file-upload-contact-form-7-plugin-1-3-6-5-multiple-csrf-vulnerabilities?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3282 – Drag and Drop Multiple File Upload < 1.3.6.5 - File Upload Size Limit Bypass
https://notcve.org/view.php?id=CVE-2022-3282
26 Sep 2022 — The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form. El plugin Drag and Drop Multiple File Upload de WordPress versiones anteriores a 1.3.6.5, no comprueba apropiadamente el límite de tamaño de subida establecido en los formularios, tomando el valor d... • https://wpscan.com/vulnerability/035dffef-4b4b-4afb-9776-7f6c5e56452c • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0595 – Drag and Drop Multiple File Upload - Contact Form 7 < 1.3.6.3 - Unauthenticated Stored XSS
https://notcve.org/view.php?id=CVE-2022-0595
07 Mar 2022 — The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue El plugin Drag and Drop Múltiple File Upload de WordPress versiones anteriores a 1.3.6.3, permite cargar archivos SVG por defecto por medio de la acción AJAX dnd_codedropz_upload, lo que podría conllevar a un problema de tipo Cross-Site Scripting Almacenado • https://plugins.trac.wordpress.org/changeset/2686614 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 97%CPEs: 1EXPL: 2CVE-2020-12800 – Drag and Drop Multiple File Upload - Contact Form 7 <= 1.3.3.2 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2020-12800
04 Jun 2020 — The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unrestricted File Upload and remote code execution by setting supported_type to php% and uploading a .php% file. El plugin drag-and-drop-multiple-file-upload-contact-form-7 versiones anteriores a 1.3.3.3 para WordPress, permite una Carga de Archivos Sin Restricciones y una ejecución de código remota al configurar support_type en php% y al cargar un archivo .php% • https://github.com/amartinsec/CVE-2020-12800 • CWE-434: Unrestricted Upload of File with Dangerous Type •