CVE-2025-2485

CVE-2025-2485 is a PHP Object Injection vulnerability affecting the Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress in all versions up to and including 1.3.8.7. The issue stems from deserialization of untrusted input in the 'dnd_upload_cf7_upload' function, enabling attackers to inject a PHP Object via a PHAR file. It is classified under CWE-502 with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

Unauthenticated attackers can exploit this vulnerability when a Contact Form 7 form with file upload capability is present on the site and the Flamingo plugin is installed and activated. By uploading a malicious PHAR file, attackers can trigger object injection, but the vulnerability has no practical impact without a Property-Oriented Programming (POP) chain present in the vulnerable software itself. If a POP chain exists via another installed plugin or theme, exploitation could lead to actions such as deleting arbitrary files, retrieving sensitive data, or executing arbitrary code, depending on the chain.

Wordfence advisories and WordPress plugin trac references indicate the vulnerability was partially patched in version 1.3.8.8, with relevant code changes documented in changesets 3261964 and 3288132, particularly around lines 25 and 844 in dnd-upload-cf7.php. Security practitioners should update to at least version 1.3.8.8 and review co-installed plugins for potential POP chains.