CVE-2025-14457: CWE-862 Missing Authorization in glenwpcoder Drag and Drop Multiple File Upload for Contact Form 7
CVE-2025-14457 is a low-severity vulnerability in the Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin. It arises from a missing authorization check in the file deletion function, allowing unauthenticated attackers to delete arbitrary uploaded files when the 'Send attachments as links' setting is enabled. The vulnerability affects all versions up to and including 1. 3. 9. 2. Exploitation does not impact confidentiality or availability but can lead to integrity loss by unauthorized file deletion. No known exploits are currently reported in the wild. European organizations using this plugin with the vulnerable setting enabled may face risks of data loss or disruption of user-submitted content. Mitigation involves disabling the vulnerable setting or applying patches once available, and monitoring file upload directories for unauthorized changes.
AI Analysis
Technical Summary
CVE-2025-14457 identifies a missing authorization vulnerability (CWE-862) in the Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress, specifically in the dnd_codedropz_upload_delete() function. This function lacks an ownership or permission check before deleting uploaded files, which allows unauthenticated attackers to delete arbitrary files uploaded via the plugin. The vulnerability is present in all versions up to and including 1.3.9.2. Exploitation requires the plugin's 'Send attachments as links' setting to be enabled, which changes how uploaded files are handled and referenced. The attack vector is network-based with no privileges or user interaction required, but the attack complexity is high due to the need to identify valid file references. The impact is limited to integrity, as attackers can delete files but cannot read or modify their contents or affect availability of the site. No patches or exploit code are currently publicly available, and no active exploitation has been reported. The vulnerability is rated with a CVSS v3.1 score of 3.7 (low severity), reflecting limited impact and exploitation difficulty. This vulnerability is relevant for WordPress sites using this plugin, which is popular for enhancing Contact Form 7 with drag-and-drop file upload capabilities.
Potential Impact
For European organizations, the primary impact is the unauthorized deletion of uploaded files submitted through Contact Form 7 forms using this plugin with the vulnerable setting enabled. This can result in loss of user-submitted data such as documents, images, or other attachments, potentially disrupting business processes that rely on these uploads (e.g., customer support, job applications, or service requests). While the vulnerability does not expose sensitive data or cause denial of service, the integrity loss can undermine user trust and require operational recovery efforts. Organizations with high reliance on WordPress forms for customer interaction or internal workflows may experience moderate operational inconvenience. The absence of known exploits reduces immediate risk, but the vulnerability could be targeted in the future, especially in sectors with high web presence. The impact is more pronounced for SMEs and public sector entities that may lack rapid patch management capabilities.
Mitigation Recommendations
1. Immediately verify if the 'Send attachments as links' setting is enabled in the Drag and Drop Multiple File Upload for Contact Form 7 plugin and disable it if not strictly necessary. 2. Monitor and audit the upload directories for unauthorized file deletions or anomalies. 3. Implement strict file system permissions to limit deletion capabilities to authorized processes only. 4. Keep WordPress core, Contact Form 7, and all related plugins updated; apply vendor patches promptly once available for this vulnerability. 5. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block suspicious requests targeting the vulnerable function. 6. Educate site administrators about this vulnerability and encourage regular backups of uploaded files to enable recovery. 7. Review and harden overall WordPress security posture, including limiting plugin usage to trusted sources and minimizing attack surface.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Poland
CVE-2025-14457: CWE-862 Missing Authorization in glenwpcoder Drag and Drop Multiple File Upload for Contact Form 7
Description
CVE-2025-14457 is a low-severity vulnerability in the Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin. It arises from a missing authorization check in the file deletion function, allowing unauthenticated attackers to delete arbitrary uploaded files when the 'Send attachments as links' setting is enabled. The vulnerability affects all versions up to and including 1. 3. 9. 2. Exploitation does not impact confidentiality or availability but can lead to integrity loss by unauthorized file deletion. No known exploits are currently reported in the wild. European organizations using this plugin with the vulnerable setting enabled may face risks of data loss or disruption of user-submitted content. Mitigation involves disabling the vulnerable setting or applying patches once available, and monitoring file upload directories for unauthorized changes.
AI-Powered Analysis
Technical Analysis
CVE-2025-14457 identifies a missing authorization vulnerability (CWE-862) in the Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress, specifically in the dnd_codedropz_upload_delete() function. This function lacks an ownership or permission check before deleting uploaded files, which allows unauthenticated attackers to delete arbitrary files uploaded via the plugin. The vulnerability is present in all versions up to and including 1.3.9.2. Exploitation requires the plugin's 'Send attachments as links' setting to be enabled, which changes how uploaded files are handled and referenced. The attack vector is network-based with no privileges or user interaction required, but the attack complexity is high due to the need to identify valid file references. The impact is limited to integrity, as attackers can delete files but cannot read or modify their contents or affect availability of the site. No patches or exploit code are currently publicly available, and no active exploitation has been reported. The vulnerability is rated with a CVSS v3.1 score of 3.7 (low severity), reflecting limited impact and exploitation difficulty. This vulnerability is relevant for WordPress sites using this plugin, which is popular for enhancing Contact Form 7 with drag-and-drop file upload capabilities.
Potential Impact
For European organizations, the primary impact is the unauthorized deletion of uploaded files submitted through Contact Form 7 forms using this plugin with the vulnerable setting enabled. This can result in loss of user-submitted data such as documents, images, or other attachments, potentially disrupting business processes that rely on these uploads (e.g., customer support, job applications, or service requests). While the vulnerability does not expose sensitive data or cause denial of service, the integrity loss can undermine user trust and require operational recovery efforts. Organizations with high reliance on WordPress forms for customer interaction or internal workflows may experience moderate operational inconvenience. The absence of known exploits reduces immediate risk, but the vulnerability could be targeted in the future, especially in sectors with high web presence. The impact is more pronounced for SMEs and public sector entities that may lack rapid patch management capabilities.
Mitigation Recommendations
1. Immediately verify if the 'Send attachments as links' setting is enabled in the Drag and Drop Multiple File Upload for Contact Form 7 plugin and disable it if not strictly necessary. 2. Monitor and audit the upload directories for unauthorized file deletions or anomalies. 3. Implement strict file system permissions to limit deletion capabilities to authorized processes only. 4. Keep WordPress core, Contact Form 7, and all related plugins updated; apply vendor patches promptly once available for this vulnerability. 5. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block suspicious requests targeting the vulnerable function. 6. Educate site administrators about this vulnerability and encourage regular backups of uploaded files to enable recovery. 7. Review and harden overall WordPress security posture, including limiting plugin usage to trusted sources and minimizing attack surface.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-10T14:55:41.035Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 696891250b074b1fa58c19b1
Added to database: 1/15/2026, 7:03:01 AM
Last enriched: 1/15/2026, 7:16:16 AM
Last updated: 1/15/2026, 9:13:50 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-14448: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in cbutlerjr WP-Members Membership Plugin
MediumCVE-2026-23582
UnknownCVE-2026-23581
UnknownCVE-2026-23580
UnknownCVE-2026-23579
UnknownActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.