File Upload Vulnerability in Drag and Drop Multiple File Upload Plugin for WordPress
CVE-2025-14842

6.1MEDIUM

Key Information:

Vendor

WordPress
Status
Drag And Drop Multiple File Upload For Contact Form 7
Vendor
CVE Published:
7 January 2026

What is CVE-2025-14842?

The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress has a vulnerability that allows unauthenticated attackers to upload potentially harmful .phar or .svg files due to the absence of restrictions on these file types. If a server is configured to process .phar files as PHP, it can lead to remote code execution. Moreover, .svg files may enable Stored Cross-Site Scripting (XSS) under specific conditions, posing significant risks to website security.

Affected Version(s)

Drag and Drop Multiple File Upload for Contact Form 7 * <= 1.3.9.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/drag-and-drop-...
https://plugins.trac.wordpress.org/browser/drag-and-drop-...

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

andrea bocchetti
JSON
.
CVE-2025-14842 : File Upload Vulnerability in Drag and Drop Multiple File Upload Plugin for WordPress