CVE-2025-8464 – This vulnerability in the Drag and Drop Multipl... (How to Fix)

Q: What is the severity of CVE-2025-8464?

CVE-2025-8464 has a CVSS score of 5.3 (MEDIUM). This vulnerability in the Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin allows unauthenticated attackers to perform directory traversal attacks via the wpcf7_guest_user_id cookie. Attackers can upload and delete files outside intended directories, though impact is limited as only safe file types can be uploaded and deletion is restricted to the plugin's uploads folder. All WordPress sites using this plugin up to version 1.3.9.0 are affected.

📋 TL;DR

This vulnerability in the Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin allows unauthenticated attackers to perform directory traversal attacks via the wpcf7_guest_user_id cookie. Attackers can upload and delete files outside intended directories, though impact is limited as only safe file types can be uploaded and deletion is restricted to the plugin's uploads folder. All WordPress sites using this plugin up to version 1.3.9.0 are affected.

💻 Affected Systems

Products:

Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin

Versions: All versions up to and including 1.3.9.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the plugin to be installed and active on WordPress sites.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could delete legitimate files in the plugin's uploads directory, potentially disrupting form functionality or website operations.

🟠

Likely Case

Limited file manipulation within the plugin's uploads directory, potentially causing minor service disruption or data loss.

🟢

If Mitigated

No impact if proper file type validation is maintained and plugin uploads directory is isolated.

🌐 Internet-Facing: MEDIUM - Unauthenticated exploitation possible but limited to safe file types and specific directory scope.

🏢 Internal Only: LOW - Same technical risk but reduced attack surface in internal networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires manipulating the wpcf7_guest_user_id cookie to perform directory traversal.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 1.3.9.0

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3344512%40drag-and-drop-multiple-file-upload-contact-form-7&new=3344512%40drag-and-drop-multiple-file-upload-contact-form-7&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Drag and Drop Multiple File Upload for Contact Form 7'. 4. Click 'Update Now' if available, or manually update to latest version. 5. Verify plugin is updated to version after 1.3.9.0.

🔧 Temporary Workarounds

Disable vulnerable plugin

WordPress

Temporarily disable the plugin until patched version is available

wp plugin deactivate drag-and-drop-multiple-file-upload-contact-form-7

Restrict cookie manipulation

all

Implement web application firewall rules to block suspicious wpcf7_guest_user_id cookie values

🧯 If You Can't Patch

Disable the Drag and Drop Multiple File Upload for Contact Form 7 plugin immediately
Implement strict file upload validation at web server level to prevent directory traversal

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for 'Drag and Drop Multiple File Upload for Contact Form 7' version 1.3.9.0 or earlier

Check Version:

wp plugin get drag-and-drop-multiple-file-upload-contact-form-7 --field=version

Verify Fix Applied:

Verify plugin version is higher than 1.3.9.0 in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual file operations in plugin uploads directory
Multiple failed upload attempts with manipulated cookie values
wpcf7_guest_user_id cookie containing path traversal sequences (../)

Network Indicators:

HTTP requests with wpcf7_guest_user_id cookie containing path traversal sequences
Unusual file upload patterns to contact form endpoints

SIEM Query:

source="web_logs" AND (cookie="*wpcf7_guest_user_id*../*" OR uri="*/wp-content/uploads/drag-and-drop-multiple-file-upload-contact-form-7/*")

📊 Metadata

CVE ID: CVE-2025-8464

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-23

EPSS Score: 0.85% exploit probability (74.4th percentile)

Published: August 16, 2025

Last Updated: August 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8464, you might also want to check these: