CVE-2025-14842
📋 TL;DR
The Drag and Drop Multiple File Upload plugin for Contact Form 7 in WordPress allows unauthenticated attackers to upload malicious .phar or .svg files. This can lead to remote code execution via .phar files or stored cross-site scripting via .svg files. All WordPress sites using this plugin up to version 1.3.9.2 are affected.
💻 Affected Systems
- Drag and Drop Multiple File Upload – Contact Form 7 WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete server compromise, data theft, and persistent backdoor installation.
Likely Case
Stored cross-site scripting attacks compromising user sessions and defacing websites.
If Mitigated
Limited impact with proper file execution restrictions and content security policies in place.
🎯 Exploit Status
Exploitation requires minimal technical skill. Attackers can directly upload malicious files through contact forms.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.9.3 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Drag and Drop Multiple File Upload – Contact Form 7'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.3.9.3+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable plugin temporarily
allDeactivate the vulnerable plugin until patched
wp plugin deactivate drag-and-drop-multiple-file-upload-contact-form-7
Restrict file uploads via .htaccess
linuxBlock .phar and .svg file execution in uploads directory
<FilesMatch "\.(phar|svg)$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Disable the plugin completely and use alternative file upload solutions
- Implement web application firewall rules to block .phar and .svg file uploads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Drag and Drop Multiple File Upload – Contact Form 7' versionCheck Version:
wp plugin get drag-and-drop-multiple-file-upload-contact-form-7 --field=versionVerify Fix Applied:
Verify plugin version is 1.3.9.3 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Multiple .phar or .svg file upload attempts in web server logs
- Unusual file uploads to /wp-content/uploads/drag-and-drop-multiple-file-upload/
Network Indicators:
- POST requests with .phar/.svg file uploads to contact form endpoints
SIEM Query:
source="web_logs" AND (uri_path="*wp-json/contact-form-7*" OR uri_path="*wp-admin/admin-ajax.php*") AND (file_extension="phar" OR file_extension="svg")🔗 References
- https://plugins.trac.wordpress.org/browser/contact-form-7/trunk/includes/formatting.php#L310
- https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/trunk/inc/dnd-upload-cf7.php#L108
- https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/trunk/inc/dnd-upload-cf7.php#L1116
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3428236%40drag-and-drop-multiple-file-upload-contact-form-7%2Ftrunk&old=3415946%40drag-and-drop-multiple-file-upload-contact-form-7%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c78a0325-5bbf-4550-8477-94247f085e40?source=cve
