Drag and Drop Multiple File Upload for Contact Form 7 Unauthenticated Arbitrary File Upload Vulnerability

A vulnerability exists in the Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin, in versions through 1.3.9.6. The issue arises from inadequate validation of file types, particularly when custom blacklist types are set. This misconfiguration allows non-ASCII filenames to bypass the intended sanitization, enabling unauthenticated users to upload arbitrary files, including PHP scripts, which could be executed to compromise the server.

Impact

Exploitation of this vulnerability allows for unauthorized users to upload files with dangerous extensions, such as PHP, which could lead to remote code execution on the server.

Reproduction

The vulnerability can be reproduced by uploading a file through the 'mfile' field of a Contact Form 7 form, while using a version of the Drag and Drop Multiple File Upload for Contact Form 7 plugin that is prior to 1.3.9.6. The upload must be done with a filename that includes non-ASCII characters, which will bypass the plugin's file name sanitization. Additionally, if custom blacklist types are configured, the uploaded file can be one that is normally denied, taking advantage of the plugin's flawed handling of blacklisted extensions.

Remediation

Users can update the Drag and Drop Multiple File Upload for Contact Form 7 plugin to version 1.3.9.7 or later, where this vulnerability has been fixed.