WordPress Drag and Drop Multiple File Upload for Contact Form 7 Unauthenticated Arbitrary File Deletion Vulnerability

A vulnerability allowing unauthenticated arbitrary file deletion has been identified in the WordPress plugin 'Drag and Drop Multiple File Upload for Contact Form 7', in versions through 1.3.8.7. The issue arises from inadequate file path validation in the 'dnd_remove_uploaded_files' function. This vulnerability enables attackers to manipulate uploaded file paths to target sensitive files on the server, such as the WordPress configuration file. If an administrator deletes the corresponding message, this could lead to remote code execution. The vulnerability requires the Flamingo plugin to be installed and activated.

Impact

Exploitation of this vulnerability could result in unauthorized deletion of files on the server, potentially leading to arbitrary code execution, especially if sensitive files are targeted.

Reproduction

To reproduce this vulnerability, upload a file using the 'Drag and Drop Multiple File Upload for Contact Form 7' plugin, while the Flamingo plugin is active. After the upload, manipulate the file path to include a target file, such as 'wp-config.php'. Once the file is uploaded, delete the corresponding Flamingo message from the admin panel, which will trigger the deletion of the uploaded file. This process can be automated with a script that interacts with the WordPress REST API to upload files and delete messages.

Remediation

Users are advised to update the 'Drag and Drop Multiple File Upload for Contact Form 7' plugin to version 1.3.8.8 or later.