The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if a user authorized to edit form, which means editor privileges or above, has added a 'multiple file upload' form field with '*' acceptable file types.
References
Configurations
Configuration 1 (hide)
|
History
29 Nov 2023, 19:15
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
First Time |
Codedropz
Codedropz drag And Drop Multiple File Upload - Contact Form 7 |
|
CWE | CWE-434 | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/1b3be300-5b7f-4844-8637-1bb8c939ed4c?source=cve - Patch, Third Party Advisory | |
References | () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2987252%40drag-and-drop-multiple-file-upload-contact-form-7%2Ftrunk&old=2968538%40drag-and-drop-multiple-file-upload-contact-form-7%2Ftrunk&sfp_email=&sfph_mail= - Patch | |
References | () https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.7.2/inc/dnd-upload-cf7.php#L904 - Product | |
References | () https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.7.2/inc/dnd-upload-cf7.php#L855 - Product | |
References | () https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.7.2/inc/dnd-upload-cf7.php#L828 - Product | |
CPE | cpe:2.3:a:codedropz:drag_and_drop_multiple_file_upload_-_contact_form_7:*:*:*:*:*:wordpress:*:* |
22 Nov 2023, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-11-22 16:15
Updated : 2024-02-28 20:54
NVD link : CVE-2023-5822
Mitre link : CVE-2023-5822
CVE.ORG link : CVE-2023-5822
JSON object : View
Products Affected
codedropz
- drag_and_drop_multiple_file_upload_-_contact_form_7
CWE
CWE-434
Unrestricted Upload of File with Dangerous Type