CVE-2025-2485
published 2025-03-28CVE-2025-2485: The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including…
PriorityP277high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.54%
41.2th percentile
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8.7 via deserialization of untrusted input from the 'dnd_upload_cf7_upload'
function. This makes it possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with the file upload action. The Flamingo plugin must be installed and activated in order to exploit the vulnerability. The vulnerability was partially patched in version 1.3.8.8.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| codedropz | drag_and_drop_multiple_file_upload_contact_form_7 | < 1.3.8.9 | 1.3.8.9 |
| glenwpcoder | drag_and_drop_multiple_file_upload_for_contact_form_7 | <= 1.3.8.8 | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qv6w-444m-m6w6: The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and includ
ghsa_unreviewed·2025-03-28
CVE-2025-2485 [HIGH] CWE-502 GHSA-qv6w-444m-m6w6: The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and includ
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8.7 via deserialization of untrusted input from the 'dnd_upload_cf7_upload'
function. This makes it possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability may be exploited by unauthent
VulnCheck
codedropz drag_and_drop_multiple_file_upload_-_contact_form_7 Deserialization of Untrusted Data
vulncheck·2025·CVSS 7.5
CVE-2025-2485 [HIGH] codedropz drag_and_drop_multiple_file_upload_-_contact_form_7 Deserialization of Untrusted Data
codedropz drag_and_drop_multiple_file_upload_-_contact_form_7 Deserialization of Untrusted Data
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8.7 via deserialization of untrusted input from the 'dnd_upload_cf7_upload'
function. This makes it possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/trunk/inc/dnd-upload-cf7.php#L25https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/trunk/inc/dnd-upload-cf7.php#L844https://plugins.trac.wordpress.org/changeset/3261964/https://plugins.trac.wordpress.org/changeset/3288132/https://www.wordfence.com/threat-intel/vulnerabilities/id/79ffe548-0005-4f5e-873f-a1afec64a251?source=cve
2025-03-28
Published
Exploited in the wild