WordPress Drag and Drop Multiple File Upload for Contact Form 7 Plugin Unauthenticated Arbitrary File Upload Vulnerability
Vulnerability
A vulnerability exists in the WordPress plugin 'Drag and Drop Multiple File Upload - Contact Form 7', in versions through 1.3.9.2. The plugin fails to restrict the upload of .phar and .svg files, allowing unauthenticated users to upload these file types. .phar files could contain malicious PHP code and, if the server is configured to execute .phar files as PHP, could lead to remote code execution. .svg files could be used for stored cross-site scripting under certain conditions.
Impact
Exploitation allows for unauthorized file uploads of .phar and .svg files, with potential remote code execution or stored cross-site scripting.
Reproduction
The vulnerability can be reproduced by uploading a .phar or .svg file through the contact form, using the 'Drag and Drop Multiple File Upload' feature. This can be done without authentication, taking advantage of the plugin's failure to block these file types.
Remediation
Users are advised to update the plugin to version 1.3.9.3 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.