Drag and Drop Multiple File Upload Contact Form 7 admin-ajax.php path traversal
CVE-2023-1112
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 1 March 2023
Badges
Summary
A path traversal vulnerability exists in the Drag and Drop Multiple File Upload Contact Form 7 plugin for WordPress, specifically affecting version 5.0.6.1. The issue arises from improper handling of the upload_name argument in the admin-ajax.php file, which can be exploited to manipulate file paths. This could allow an attacker to execute arbitrary scripts or access sensitive files on the server from a remote location. Given the public disclosure of this vulnerability, it is critical for users to address this issue promptly to mitigate potential exploitation.
Affected Version(s)
Drag and Drop Multiple File Upload Contact Form 7 5.0.6.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved
- π‘
Public PoC available
- πΎ
Exploit known to exist