WordPress Directory Traversal Vulnerability in Drag and Drop Multiple File Upload for Contact Form 7 Plugin

A directory traversal vulnerability has been identified in the WordPress plugin 'Drag and Drop Multiple File Upload for Contact Form 7', affecting all versions through 1.3.9.0. The vulnerability arises from the 'wpcf7_guest_user_id' cookie, allowing unauthenticated attackers to upload and delete files outside the intended directory. While the impact is somewhat mitigated by file type validation (only safe file types can be uploaded) and restrictions on deletion (limited to the plugin's designated uploads folder), the vulnerability still poses a risk.

Impact

Exploitation of this vulnerability could lead to unauthorized file uploads and deletions, potentially allowing for further attacks such as code execution or web application compromise.

Reproduction

The vulnerability can be reproduced by sending a request with a crafted 'wpcf7_guest_user_id' cookie to a site using the affected plugin version. This can be done using a web browser or a tool like cURL. The request should include files that exploit the directory traversal vulnerability, such as PHP files or other executable scripts.

Remediation

Users are advised to update the plugin to version 1.3.9.1 or later, where this vulnerability has been patched.