CVE-2025-14457
📋 TL;DR
This vulnerability allows unauthenticated attackers to delete arbitrary files uploaded through the Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin when the 'Send attachments as links' setting is enabled. It affects all WordPress sites using this plugin up to version 1.3.9.2. The issue stems from missing ownership verification in file deletion functions.
💻 Affected Systems
- Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin
📦 What is this software?
Contact Form 7 by Codedropz
⚠️ Risk & Real-World Impact
Worst Case
Attackers could delete critical WordPress files, uploaded user content, or other important files, potentially causing website disruption, data loss, or service unavailability.
Likely Case
Attackers delete recently uploaded contact form attachments, causing user frustration and potential data loss for form submissions.
If Mitigated
With proper file permissions and backups, impact is limited to temporary file loss until restoration from backups.
🎯 Exploit Status
Exploitation requires the vulnerable setting to be enabled and knowledge of file paths. No authentication is required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.9.3
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3428236/drag-and-drop-multiple-file-upload-contact-form-7
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Drag and Drop Multiple File Upload for Contact Form 7'. 4. Click 'Update Now' if available, or download version 1.3.9.3+ from WordPress repository. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Disable vulnerable setting
allTurn off the 'Send attachments as links' setting in plugin configuration
Restrict file permissions
linuxSet restrictive permissions on upload directories to prevent deletion
chmod 755 /path/to/wordpress/wp-content/uploads/dnd-upload-cf7/
🧯 If You Can't Patch
- Disable the 'Send attachments as links' setting immediately
- Implement web application firewall rules to block suspicious file deletion requests
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for 'Drag and Drop Multiple File Upload for Contact Form 7' version 1.3.9.2 or lower AND verify 'Send attachments as links' setting is enabledCheck Version:
wp plugin list --name='drag-and-drop-multiple-file-upload-contact-form-7' --field=versionVerify Fix Applied:
Confirm plugin version is 1.3.9.3 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with action=dnd_codedropz_upload_delete containing file paths
- Unexpected 200 OK responses to unauthenticated file deletion requests
Network Indicators:
- Unusual spikes in POST requests to admin-ajax.php endpoint
- Pattern of file deletion requests from unauthenticated sources
SIEM Query:
source="web_server" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="dnd_codedropz_upload_delete" AND NOT user_agent="WordPress/*"