CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5822 – Drag and Drop Multiple File Upload - Contact Form 7 <= 1.3.7.3 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-5822
01 Nov 2023 — The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if a user authorized to edit form, which means editor privileges or above, has added a 'multiple ... • https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.7.2/inc/dnd-upload-cf7.php#L828 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 2CVE-2023-1282 – Drag and Drop Multiple File Upload PRO - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-1282
15 Mar 2023 — The Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard WordPress plugin before 2.11.1 and Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations WordPress plugin before 5.0.6.4 do not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins. The Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard plugin for WordPress is vulnera... • https://wpscan.com/vulnerability/8a9548c5-59ea-46b0-bfa5-a0f7a259351a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2023-1112 – Drag and Drop Multiple File Upload Contact Form 7 admin-ajax.php path traversal
https://notcve.org/view.php?id=CVE-2023-1112
01 Mar 2023 — A vulnerability was found in Drag and Drop Multiple File Upload Contact Form 7 5.0.6.1 on WordPress. It has been classified as critical. Affected is an unknown function of the file admin-ajax.php. The manipulation of the argument upload_name leads to relative path traversal. It is possible to launch the attack remotely. • https://github.com/codeb0ss/CVE-2023-1112-EXP • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45364 – WordPress Drag and Drop Multiple File Upload – Contact Form 7 Plugin <= 1.3.6.5 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-45364
24 Feb 2023 — Cross-Site Request Forgery (CSRF) vulnerability in Glen Don L. Mongaya Drag and Drop Multiple File Upload – Contact Form 7 plugin <= 1.3.6.5 versions. The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.6.5. This is due to missing or incorrect nonce validation on the dnd_upload_cf7_upload and dnd_codedropz_upload_delete functions. This makes it possible for unauthenticated attackers to upload or delete... • https://patchstack.com/database/vulnerability/drag-and-drop-multiple-file-upload-contact-form-7/wordpress-drag-and-drop-multiple-file-upload-contact-form-7-plugin-1-3-6-5-multiple-csrf-vulnerabilities?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3282 – Drag and Drop Multiple File Upload < 1.3.6.5 - File Upload Size Limit Bypass
https://notcve.org/view.php?id=CVE-2022-3282
26 Sep 2022 — The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form. El plugin Drag and Drop Multiple File Upload de WordPress versiones anteriores a 1.3.6.5, no comprueba apropiadamente el límite de tamaño de subida establecido en los formularios, tomando el valor d... • https://wpscan.com/vulnerability/035dffef-4b4b-4afb-9776-7f6c5e56452c • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0595 – Drag and Drop Multiple File Upload - Contact Form 7 < 1.3.6.3 - Unauthenticated Stored XSS
https://notcve.org/view.php?id=CVE-2022-0595
07 Mar 2022 — The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue El plugin Drag and Drop Múltiple File Upload de WordPress versiones anteriores a 1.3.6.3, permite cargar archivos SVG por defecto por medio de la acción AJAX dnd_codedropz_upload, lo que podría conllevar a un problema de tipo Cross-Site Scripting Almacenado • https://plugins.trac.wordpress.org/changeset/2686614 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 97%CPEs: 1EXPL: 2CVE-2020-12800 – Drag and Drop Multiple File Upload - Contact Form 7 <= 1.3.3.2 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2020-12800
04 Jun 2020 — The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unrestricted File Upload and remote code execution by setting supported_type to php% and uploading a .php% file. El plugin drag-and-drop-multiple-file-upload-contact-form-7 versiones anteriores a 1.3.3.3 para WordPress, permite una Carga de Archivos Sin Restricciones y una ejecución de código remota al configurar support_type en php% y al cargar un archivo .php% • https://github.com/amartinsec/CVE-2020-12800 • CWE-434: Unrestricted Upload of File with Dangerous Type •