CVE-2025-53283

CVE-2025-53283 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in the WordPress plugin Drop Uploader for CF7 - Drag&Drop File Uploader Addon by borisolhor. This issue affects all versions of the plugin from n/a through 2.4.1 and enables attackers to upload a web shell to the web server. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, no privileges or user interaction required, and changed scope.

Unauthenticated remote attackers can exploit this vulnerability over the network without privileges or user interaction. By leveraging the plugin's drag-and-drop file upload functionality in Contact Form 7 forms, attackers can upload malicious files such as web shells, achieving high impacts on confidentiality, integrity, and availability. This typically results in remote code execution and full compromise of the affected WordPress site.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/drop-uploader-for-contact-form-7-dragdrop-file-uploader-addon/vulnerability/wordpress-drop-uploader-for-cf7-drag-drop-file-uploader-addon-plugin-2-4-1-arbitrary-file-upload-vulnerability?_s_id=cve) documents this arbitrary file upload vulnerability in version 2.4.1. Security practitioners should consult vendor and advisory resources for mitigation guidance, including updating the plugin beyond version 2.4.1 where patches are available.