Arbitrary File Deletion Vulnerability in Drag and Drop Multiple File Upload Plugin for WordPress
CVE-2024-12267
5.3MEDIUM
Key Information:
- Vendor
- GlenWPcoder
- Status
- Drag And Drop Multiple File Upload For Contact Form 7
- Vendor
- CVE Published:
- 31 January 2025
Summary
The Drag and Drop Multiple File Upload plugin for WordPress, specifically in the dnd_codedropz_upload_delete() function, suffers from a vulnerability that allows unauthenticated users to delete certain files due to inadequate file path validation. This issue affects all versions up to and including 1.3.8.5, potentially allowing attackers to manipulate the server's file structure by deleting arbitrary files, while restricting them from accessing critical files such as wp-config.php that could lead to remote code execution.
Affected Version(s)
Drag and Drop Multiple File Upload for Contact Form 7 * <= 1.3.8.5
References
CVSS V3.1
Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Youcef Hamdani