CVE-2025-1028
Published: 05 February 2025
Description
The Contact Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the contact form upload feature in all versions up to, and including, 8.6.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible in specific configurations where the first extension is processed over the final. This vulnerability also requires successfully exploiting a race condition in order to exploit.
Security Summary
CVE-2025-1028 is an arbitrary file upload vulnerability in the Contact Manager plugin for WordPress, affecting all versions up to and including 8.6.4. The flaw arises from missing file type validation in the contact form upload feature, which allows attackers to place arbitrary files on the affected site's server. Published on 2025-02-05, it is rated 8.1 (High) under CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).
Unauthenticated attackers can exploit this vulnerability remotely without privileges or user interaction. Successful exploitation requires winning a race condition and occurs in specific server configurations where the first file extension is processed over the final one, potentially enabling remote code execution through the uploaded files.
Advisories indicate mitigation via an update to Contact Manager version 8.6.5, as shown in the WordPress plugin trac changeset comparing tags 8.6.4 and 8.6.5. Wordfence provides additional threat intelligence on the issue at their vulnerability page.
Details
- CWE(s)