WordPress Drag and Drop Multiple File Upload for Contact Form 7 Plugin Arbitrary File Upload Vulnerability

A vulnerability exists in the WordPress plugin 'Drag and Drop Multiple File Upload for Contact Form 7' in versions through 1.3.8.9. The issue arises from inadequate validation of file types, allowing unauthenticated attackers to upload potentially harmful files, such as .phar files, to the server. This could lead to remote code execution on servers that process .phar files as executable PHP, especially in default Apache with mod_php, where file extensions are not rigorously checked before being executed by the PHP interpreter.

Impact

Exploitation of this vulnerability could result in arbitrary file uploads, with the potential for remote code execution on the server, particularly if the uploaded file is a .phar file and the server is configured to execute such files as PHP scripts.

Reproduction

To reproduce this vulnerability, upload a file through the 'Drag and Drop Multiple File Upload' field in a Contact Form 7 form, using a version of the plugin prior to 1.3.9.0. Bypass the plugin's file type blacklist by renaming the file with a .phar extension. Once uploaded, the file can be executed as a PHP script on the server, leading to remote code execution.

Remediation

Users are advised to update the 'Drag and Drop Multiple File Upload for Contact Form 7' plugin to version 1.3.9.0 or later.