Drag and Drop Multiple File Upload - Contact Form 7 WordPress Plugin Unauthenticated Arbitrary File Upload Vulnerability

A vulnerability allowing unauthenticated arbitrary file uploads has been identified in the Drag and Drop Multiple File Upload - Contact Form 7 WordPress plugin, in versions through 1.3.9.5. The issue arises from inadequate file type validation in the 'dnd_upload_cf7_upload' function. This vulnerability could potentially be exploited for remote code execution, particularly if the form includes a multiple file upload field with '*' as the accepted file type.

Impact

Exploitation of this vulnerability allows for unauthenticated users to upload arbitrary files, which could lead to remote code execution, especially if the uploaded files are executed on the server.

Reproduction

To reproduce this vulnerability, upload a file through a Contact Form 7 form that includes a multiple file upload field. Set the accepted file type to '*'. The uploaded file will bypass the plugin's file type restrictions and can be a PHP file, which may then be executed on the server.

Remediation

Users are advised to update the Drag and Drop Multiple File Upload - Contact Form 7 plugin to version 1.3.9.6 or later.