CVE-2025-14457 identifies a missing authorization vulnerability (CWE-862) in the Drag and Drop Multiple File Upload for Contact Form 7 plugin developed by glenwpcoder for WordPress. The vulnerability exists in the dnd_codedropz_upload_delete() function, which lacks proper ownership verification before allowing deletion of uploaded files. This flaw affects all plugin versions up to and including 1.3.9.2. When the plugin's 'Send attachments as links' setting is enabled, unauthenticated attackers can exploit this weakness to delete arbitrary files uploaded via the plugin. The attack vector is network-based with no privileges or user interaction required, but the attack complexity is high, likely due to the need to identify valid file references or URLs. The vulnerability impacts data integrity by permitting unauthorized file deletion, but it does not compromise confidentiality or availability. No patches or exploit code are currently publicly available, and no known active exploitation has been reported. The CVSS v3.1 base score is 3.7, reflecting a low severity rating primarily due to limited impact and exploitation complexity.

The primary impact of CVE-2025-14457 is unauthorized modification of data integrity through deletion of uploaded files. Organizations using the affected plugin with the 'Send attachments as links' feature enabled risk losing user-uploaded content, which could disrupt business processes relying on those files, such as customer communications or form submissions. Although the vulnerability does not directly affect confidentiality or availability, the loss of files could degrade service quality and user trust. The lack of authentication requirement broadens the potential attacker base, but the high attack complexity and absence of known exploits reduce immediate risk. Nonetheless, organizations with high volumes of file uploads or critical data stored via this plugin are at increased risk of operational impact and potential reputational damage if exploited.

To mitigate CVE-2025-14457, organizations should first verify if the 'Send attachments as links' setting is enabled in their Drag and Drop Multiple File Upload for Contact Form 7 plugin configuration. If enabled, temporarily disable this feature until a security patch is released. Monitor official plugin channels and WordPress security advisories for updates or patches addressing this vulnerability and apply them promptly once available. Implement strict access controls and file permissions on the server to limit the ability of unauthorized users to delete files outside the plugin's control. Additionally, maintain regular backups of uploaded files to enable recovery in case of deletion. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable function. Finally, conduct periodic security audits of WordPress plugins and configurations to identify and remediate similar authorization weaknesses proactively.