A vulnerability exists in the Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin, in all versions through 1.3.9.2. The issue arises from a missing ownership check in the dnd_codedropz_upload_delete() function, allowing unauthenticated attackers to delete arbitrary uploaded files. This exploitation is possible when the 'Send attachments as links' setting is enabled.
Exploitation of this vulnerability allows for unauthorized deletion of uploaded files, potentially leading to data loss.
Users can update to version 1.3.9.3 or a newer patched version to address this vulnerability.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.
