PHP Object Injection Vulnerability in Drag and Drop Multiple File Upload Plugin for WordPress

CVE-2025-2485

Summary

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is susceptible to PHP Object Injection in versions up to 1.3.8.7. Through the 'dnd_upload_cf7_upload' function, the vulnerability allows for the deserialization of untrusted input, potentially enabling attackers to inject malicious PHP Objects via PHAR files. While this specific vulnerability does not exert direct impact on its own—due to the absence of a known payload chain (POP)—the risk escalates significantly in the presence of user-installed plugins or themes that may facilitate exploitation. If exploited, malicious actors could perform mixed actions, such as deleting files or executing arbitrary code, depending on the specific configurations and additional software in use. Importantly, this vulnerability can be exploited by unauthenticated users when file upload features are accessible on the affected site, provided that the Flamingo plugin is also activated.

References