WordPress Drag and Drop Multiple File Upload for Contact Form 7 Path Traversal Vulnerability Allowing Arbitrary File Read

A path traversal vulnerability allowing arbitrary file read has been identified in the WordPress plugin 'Drag and Drop Multiple File Upload for Contact Form 7', in versions through 1.3.9.6. The vulnerability arises because the plugin uses client-supplied 'mfile[]' POST values to determine email attachments, without proper server-side validation or sanitization. This oversight allows unauthenticated attackers to exploit path traversal sequences in the 'mfile[]' parameter to read and exfiltrate arbitrary files accessible by the web server, with the stolen files being sent as attachments in the outgoing email via Contact Form 7.

Impact

Exploitation of this vulnerability could lead to unauthorized access and disclosure of sensitive files from the WordPress 'wp-content' directory, through the 'mfile[]' parameter in a Contact Form 7 upload field.

Reproduction

To reproduce this vulnerability, upload a file using the 'Drag and Drop Multiple File Upload for Contact Form 7' plugin version 1.3.9.6 or earlier. Include a path traversal sequence in the 'mfile[]' parameter to manipulate the file upload process. The uploaded file will be read and sent as an attachment via email, exploiting the lack of proper validation and allowing access to arbitrary files readable by the web server.

Remediation

Users are advised to update the 'Drag and Drop Multiple File Upload for Contact Form 7' plugin to version 1.3.9.7 or later, where this vulnerability has been patched.