CVE-2022-3282 is a medium-severity vulnerability affecting the WordPress plugin 'Drag and Drop Multiple File Upload – Contact Form 7' version 1.3.6.5 and earlier. The vulnerability arises because the plugin does not properly enforce the file upload size limit configured by the site administrator. Instead, it relies on a user-supplied value for the maximum allowed file size during form submission. This improper validation constitutes an authorization bypass (CWE-639), allowing an attacker to override the intended upload size restrictions. Consequently, an attacker can upload files larger than the administrator-set limit, potentially leading to resource exhaustion or enabling the upload of malicious files that would otherwise be blocked. The vulnerability requires the attacker to have at least low-level privileges (PR:L) on the WordPress site but does not require user interaction beyond submitting the form. The CVSS v3.1 base score is 4.3 (medium), reflecting that the impact is limited to integrity (I:L) without affecting confidentiality or availability. No known exploits are currently reported in the wild, and no official patches are linked in the provided data, though it is likely that plugin updates beyond 1.3.6.5 address this issue. This vulnerability is particularly relevant for websites using Contact Form 7 with this plugin to handle file uploads, as it undermines the administrator's control over file upload policies, potentially increasing the risk of malicious file uploads or denial-of-service conditions due to large file handling.

For European organizations, especially those operating websites with WordPress and Contact Form 7 integrated with the Drag and Drop Multiple File Upload plugin, this vulnerability can lead to unauthorized bypass of file upload size restrictions. This may allow attackers to upload excessively large files, potentially causing server resource exhaustion, degraded performance, or even denial of service. Additionally, the ability to bypass upload size limits could facilitate the upload of malicious files that evade detection or restrictions, increasing the risk of malware infection or data integrity compromise. Organizations handling sensitive customer data or regulated information may face compliance risks if malicious files are uploaded and executed or if service disruptions occur. The impact is more pronounced for organizations with high web traffic or those relying heavily on file uploads via contact forms. However, since exploitation requires at least some level of privilege (e.g., authenticated user), the risk is somewhat mitigated compared to fully unauthenticated vulnerabilities. Nonetheless, the vulnerability could be leveraged in targeted attacks or combined with other vulnerabilities to escalate impact.

1. Update the Drag and Drop Multiple File Upload – Contact Form 7 plugin to the latest version beyond 1.3.6.5 where the vulnerability is fixed. If an official patch is not yet available, consider temporarily disabling the plugin or restricting file upload functionality. 2. Implement server-side validation of file upload size limits independent of plugin settings to enforce strict size restrictions regardless of client input. 3. Employ Web Application Firewalls (WAFs) with rules to detect and block anomalous file upload requests exceeding expected size limits. 4. Monitor web server logs for unusual file upload activity, such as repeated large file uploads or attempts to bypass size restrictions. 5. Restrict file types allowed for upload to a minimal set of safe formats and scan uploaded files for malware using antivirus or sandboxing solutions. 6. Limit user privileges to the minimum necessary to reduce the risk of exploitation by authenticated users. 7. Regularly audit and review installed WordPress plugins for vulnerabilities and maintain an update schedule to promptly apply security patches.