Arbitrary File Upload Vulnerability in Drag and Drop File Upload for Elementor Forms by add-ons.org
CVE-2025-49387

10CRITICAL

Key Information:

Vendor: WordPress
Status: Drag And Drop File Upload For Elementor Forms
Vendor: CVE Published:; 28 August 2025

What is CVE-2025-49387?

The Drag and Drop File Upload for Elementor Forms plugin by add-ons.org is vulnerable to an arbitrary file upload, allowing attackers to upload malicious files, including web shells, to the web server. This exploitation enables unauthorized remote access and control over affected systems. It is critical to ensure that your implementation is secured against this vulnerability to protect your web infrastructure and sensitive data.

Affected Version(s)

Drag and Drop File Upload for Elementor Forms <= 1.5.3

References

https://patchstack.com/database/wordpress/plugin/drag-and...

vdb-entry

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 28, 2025
Vulnerability Reserved
Jun 4, 2025

Credit

Phat RiO - BlueRock (Patchstack Alliance)

WordPress

What is CVE-2025-49387?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit