Arbitrary File Deletion Vulnerability in Drag and Drop Multiple File Upload Plugin for WordPress
CVE-2024-12267
5.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 31 January 2025
What is CVE-2024-12267?
The Drag and Drop Multiple File Upload plugin for WordPress, specifically in the dnd_codedropz_upload_delete() function, suffers from a vulnerability that allows unauthenticated users to delete certain files due to inadequate file path validation. This issue affects all versions up to and including 1.3.8.5, potentially allowing attackers to manipulate the server's file structure by deleting arbitrary files, while restricting them from accessing critical files such as wp-config.php that could lead to remote code execution.
Affected Version(s)
Drag and Drop Multiple File Upload for Contact Form 7 * <= 1.3.8.5