// For flags

CVE-2023-5822

Drag and Drop Multiple File Upload - Contact Form 7 <= 1.3.7.3 - Unauthenticated Arbitrary File Upload

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if a user authorized to edit form, which means editor privileges or above, has added a 'multiple file upload' form field with '*' acceptable file types.

El complemento Drag and Drop Multiple File Upload - Contact Form 7 para WordPress es vulnerable a cargas de archivos arbitrarias debido a una validación insuficiente del tipo de archivo en la función 'dnd_upload_cf7_upload' en versiones hasta la 1.3.7.3 incluida. Esto hace posible que atacantes no autenticados carguen archivos arbitrarios en el servidor del sitio afectado, lo que puede hacer posible la ejecución remota de código. Esto se puede aprovechar si un usuario autorizado para editar el formulario, lo que significa privilegios de editor o superiores, ha agregado un campo de formulario de 'carga de múltiples archivos' con '*' tipos de archivos aceptables.

The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if a user authorized to edit form, which means editor privileges or above, has added a 'multiple file upload' form field with '*' acceptable file types.

*Credits: István Márton
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-10-26 CVE Reserved
  • 2023-11-01 CVE Published
  • 2024-08-02 CVE Updated
  • 2024-12-24 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-434: Unrestricted Upload of File with Dangerous Type
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Codedropz
Search vendor "Codedropz"
 Drag And Drop Multiple File Upload - Contact Form 7
Search vendor "Codedropz" for product "Drag And Drop Multiple File Upload - Contact Form 7"
 <= 1.3.7.3
Search vendor "Codedropz" for product "Drag And Drop Multiple File Upload - Contact Form 7" and version " <= 1.3.7.3"
wordpress
Affected