CVE-2024-12267
Published: 31 January 2025
Description
The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited arbitrary file deletion due to insufficient file path validation in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.8.5. This makes it possible for unauthenticated attackers to delete limited arbitrary files on the server. It is not possible to delete files like wp-config.php that would make RCE possible.
Security Summary
CVE-2024-12267 affects the Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress, impacting all versions up to and including 1.3.8.5. The vulnerability stems from insufficient file path validation in the dnd_codedropz_upload_delete() function, enabling limited arbitrary file deletion. It carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) and is associated with CWE-73 (External Control of File Name or Path).
Unauthenticated attackers can exploit this issue remotely with low complexity and no privileges required. Successful exploitation allows deletion of limited arbitrary files on the server, though critical files such as wp-config.php cannot be targeted, preventing escalation to remote code execution.
Advisories reference a patch in the plugin's Trac changeset 3231973, which updates the dnd-upload-cf7.php file to address the validation flaw. Wordfence threat intelligence provides further details on the vulnerability at their dedicated page.
Details
- CWE(s)