CVE-2024-3717 is a vulnerability classified under CWE-922 (Insecure Storage of Sensitive Information) found in the Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress, affecting all versions up to and including 1.3.7.7. The plugin allows users to upload files via a drag-and-drop interface integrated with Contact Form 7 forms. However, the uploaded files are stored in the publicly accessible directory '/wp-content/uploads/wp_dndcf7_uploads/wpcf7-files' without proper access controls or protections. This misconfiguration enables unauthenticated attackers to directly access and download sensitive files uploaded through the forms, potentially exposing personal data, documents, or other confidential information submitted by users. The vulnerability does not require any authentication or user interaction, making exploitation straightforward for attackers who can simply browse or enumerate files in the directory. The CVSS 3.1 base score is 5.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. While no exploits have been reported in the wild yet, the exposure of sensitive data can have serious privacy implications. The root cause is the insecure storage and lack of access restrictions on uploaded files, violating best practices for handling sensitive information in web applications. No official patches or fixes have been linked yet, so mitigation relies on configuration changes or plugin updates once available.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive information submitted via the affected plugin's file upload feature. Organizations using this plugin on WordPress sites risk leaking confidential user data such as personal documents, identification files, or other sensitive attachments. This can lead to privacy violations, regulatory non-compliance (e.g., GDPR, HIPAA), reputational damage, and potential legal consequences. Since the vulnerability does not affect data integrity or availability, it does not enable attackers to modify or disrupt services directly. However, the ease of exploitation without authentication increases the likelihood of data breaches, especially on high-traffic or public-facing websites. Attackers can automate scanning for exposed directories to harvest sensitive files at scale. The impact is particularly critical for organizations handling sensitive customer or employee information through web forms. Additionally, the exposure can facilitate further attacks such as social engineering or identity theft using the leaked data.

To mitigate CVE-2024-3717, organizations should immediately restrict public access to the '/wp-content/uploads/wp_dndcf7_uploads/wpcf7-files' directory by implementing proper access controls at the web server level (e.g., using .htaccess rules for Apache or equivalent configurations for Nginx) to deny direct browsing or downloading of files. Until an official patch or plugin update is released, administrators can move uploaded files to non-public directories or implement authentication checks before serving files. Reviewing and tightening file permissions on the upload directory to prevent unauthorized read access is critical. Additionally, monitoring web server logs for suspicious access patterns targeting this directory can help detect exploitation attempts. Organizations should also consider disabling the plugin if file upload functionality is not essential or replacing it with a more secure alternative. Regularly updating WordPress plugins and themes and subscribing to vulnerability advisories for this plugin will ensure timely application of future patches. Finally, educating site administrators about secure file handling practices and conducting periodic security audits can reduce exposure to similar vulnerabilities.