Arbitrary File Deletion Vulnerability in Drag and Drop Multiple File Upload Plugin for WordPress
CVE-2025-2328
8.8HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 28 March 2025
What is CVE-2025-2328?
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress has a serious security flaw that allows unauthorized attackers to delete files from the server due to inadequate validation of file paths in its 'dnd_remove_uploaded_files' function. All versions up to and including 1.3.8.7 are affected. This vulnerability can be exploited if the Flamingo plugin is installed and activated, enabling attackers to manipulate uploaded files and potentially gain remote code execution by tricking an administrator into deleting certain messages.
Affected Version(s)
Drag and Drop Multiple File Upload for Contact Form 7 * <= 1.3.8.7