CVE-2024-12267

low-risk
Published 2025-01-31

The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited arbitrary file deletion due to insufficient file path validation in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.8.5. This makes it possible for unauthenticated attackers to delete limited arbitrary files on the server. It is not possible to delete files like wp-config.php that would make RCE possible.

Do I need to act?

-
0.10% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Drag And Drop Multiple File Upload - Contact Form 7

Affected Vendors

Codedropz

References (2)

Patch https://plugins.trac.wordpress.org/changeset/3231973/drag-and-drop-multiple-file...
Third Party Advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/00ec7251-3be1-411a-b38...
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal