CVE-2025-14842
File Upload Vulnerability in Contact Form 7 Plugin Enables RCE and XSS
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | drag_and_drop_multiple_file_upload_contact_form_7 | to 1.3.9.2 (inc) |
| unknown_vendor | drag_and_drop_multiple_file_upload_contact_form_7 | 1.3.9.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to upload malicious files that can lead to remote code execution and stored cross-site scripting, potentially compromising the security and integrity of the affected system. Such security breaches can result in unauthorized access to sensitive data, which may violate compliance requirements of standards like GDPR and HIPAA that mandate protection of personal and health information. Therefore, this vulnerability poses a risk to compliance with these regulations by undermining data confidentiality and system security. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability on your system, you should check if the Drag and Drop Multiple File Upload β Contact Form 7 plugin is installed and if its version is 1.3.9.2 or earlier. You can verify the plugin version in your WordPress admin dashboard or by inspecting the plugin files. Additionally, look for uploaded files with extensions such as .phar or .svg in the upload directories, as these file types were not properly blocked in vulnerable versions. You can use commands like 'find' on the server to locate such files, for example: find /path/to/wp-content/uploads/ -type f \( -iname "*.phar" -o -iname "*.svg" \). Also, check for the presence or absence of .htaccess files in upload directories that deny access to .php and .phar files, as the patched version adds these for protection. Finally, monitor for unusual AJAX requests lacking proper security nonces related to file uploads or deletions. These steps can help identify exploitation attempts or vulnerable setups. [2]
Can you explain this vulnerability to me?
This vulnerability exists in the Drag and Drop Multiple File Upload β Contact Form 7 plugin for WordPress, versions up to 1.3.9.2. The plugin does not block uploading of .phar and .svg files, which can be dangerous. As a result, unauthenticated attackers can upload arbitrary .phar or .svg files containing malicious PHP or JavaScript code. Malicious PHP code in .phar files can lead to remote code execution on the server if the server executes .phar files as PHP. Uploaded .svg files can enable Stored Cross-Site Scripting attacks under certain conditions.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious code on your server remotely if .phar files are executed as PHP, potentially compromising your server. Additionally, attackers can exploit uploaded .svg files to perform Stored Cross-Site Scripting (XSS) attacks, which can lead to theft of user data, session hijacking, or other malicious actions affecting users of your website.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Drag and Drop Multiple File Upload β Contact Form 7 plugin to a version later than 1.3.9.2 where the issue is fixed. Additionally, restrict or block uploads of .phar and .svg files to prevent malicious file uploads. Review server configuration to ensure .phar files are not executed as PHP. Implement input validation and file type restrictions on uploads to prevent arbitrary file uploads.