CVE-2025-2328

CVE-2025-2328 affects the Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress, specifically in all versions up to and including 1.3.8.7. The vulnerability stems from insufficient file path validation in the 'dnd_remove_uploaded_files' function, enabling arbitrary file deletion. This issue, classified under CWE-22 (Path Traversal), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2025-03-28.

Unauthenticated attackers can exploit this by uploading files via the plugin and embedding arbitrary file paths, such as ../../../../wp-config.php, into the metadata stored on the server. Exploitation requires the Flamingo plugin to be installed and activated, as it handles message storage and deletion. When an administrator reviews and deletes the contact form message containing the malicious paths, the plugin executes the deletion, potentially allowing attackers to delete critical files and achieve remote code execution.

Advisories, including those from Wordfence, detail the vulnerability and reference a patch in WordPress plugin changeset 3261964. Mitigation involves updating to a patched version beyond 1.3.8.7, as indicated in the plugin's source code changes at line 153 of dnd-upload-cf7.php. Security practitioners should verify Flamingo plugin usage and monitor for unauthorized file uploads in Contact Form 7 submissions.