Drag and Drop Multiple File Upload for Contact Form 7 PHP Object Injection Vulnerability

A vulnerability allowing PHP object injection has been identified in the WordPress plugin 'Drag and Drop Multiple File Upload for Contact Form 7', in all versions through 1.3.8.7. This vulnerability arises from the deserialization of untrusted input in the 'dnd_upload_cf7_upload' function, which can be exploited by injecting a PHP object via a PHAR file. While the vulnerable plugin itself does not contain a known payload execution chain, the vulnerability could be exploited if another plugin or theme with such a chain is installed, potentially allowing an attacker to delete arbitrary files, access sensitive data, or execute code, depending on the nature of the injected object and the presence of a payload execution chain.

Impact

Exploitation of this vulnerability allows for unauthenticated PHP object injection, which could lead to arbitrary file deletion, especially if the injected object is manipulated to exploit a payload execution chain.

Reproduction

To reproduce this vulnerability, upload a PHAR file through a form that uses the 'Drag and Drop Multiple File Upload for Contact Form 7' plugin, version 1.3.8.7 or earlier. Ensure that the Flamingo plugin is installed and active, as this vulnerability relies on Flamingo's functionality to process the uploaded file. After the file is uploaded, the vulnerability will trigger the PHP object injection by deserializing the untrusted input from the uploaded PHAR file, which can then be exploited if a suitable payload execution chain is available.

Remediation

Users can update to version 1.3.8.9, or a newer patched version, to address this vulnerability.