The vulnerability identified as CVE-2024-12267 affects the WordPress plugin 'Drag and Drop Multiple File Upload for Contact Form 7' developed by glenwpcoder. This plugin facilitates file uploads via drag and drop functionality integrated with Contact Form 7 forms. The root cause is insufficient validation of file paths in the dnd_codedropz_upload_delete() function, which handles deletion requests for uploaded files. Due to this flaw, unauthenticated attackers can craft requests that delete arbitrary files within a limited scope on the server hosting the WordPress site. The vulnerability does not allow deletion of critical configuration files such as wp-config.php, thus preventing escalation to remote code execution. The plugin versions up to and including 1.3.8.5 are affected. The CVSS 3.1 score of 5.3 indicates a medium severity, with the attack vector being network-based, no privileges required, no user interaction needed, and impact limited to integrity (file deletion). No public exploits have been reported yet, but the vulnerability poses a risk to site stability and data integrity. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for cautious mitigation.

The primary impact of this vulnerability is the unauthorized deletion of files on the affected WordPress server. While critical system files like wp-config.php are protected, attackers can still remove other files, potentially disrupting website functionality, deleting uploaded user content, or removing plugin/theme files. This can lead to degraded user experience, loss of data, and increased administrative overhead to restore deleted content. For organizations relying on Contact Form 7 with this plugin, this could result in partial denial of service or data integrity issues. Since the attack requires no authentication or user interaction, the risk of automated exploitation exists, which could affect a large number of sites if exploited at scale. However, the absence of confidentiality and availability impacts, and the limited scope of file deletion, reduce the overall severity compared to more critical vulnerabilities.

Organizations should immediately verify if they use the 'Drag and Drop Multiple File Upload for Contact Form 7' plugin and identify the version in use. Until an official patch is released, administrators can mitigate risk by disabling or removing the plugin if file upload functionality is not critical. If the plugin is essential, restrict access to the upload and deletion endpoints via web application firewall (WAF) rules or server-level access controls to block unauthenticated requests targeting the vulnerable function. Implement strict file system permissions to limit the plugin's ability to delete files outside designated directories. Monitor web server logs for suspicious deletion requests and unusual activity related to file uploads. Regular backups of website data and uploaded files should be maintained to enable quick restoration if deletion occurs. Finally, stay alert for updates from the plugin vendor and apply patches promptly once available.