CVE-2025-14842: CWE-434 Unrestricted Upload of File with Dangerous Type in glenwpcoder Drag and Drop Multiple File Upload for Contact Form 7
The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited upload of files with a dangerous type in all versions up to, and including, 1.3.9.2. This is due to the plugin not blocking .phar and .svg files. This makes it possible for unauthenticated attackers to upload arbitrary .phar or .svg files containing malicious PHP or JavaScript code. Malicious PHP code can be used to achieve remote code execution on the server via direct file access, if the server is configured to execute .phar files as PHP. The upload of .svg files allows for Stored Cross-Site Scripting under certain circumstances.
AI Analysis
Technical Summary
CVE-2025-14842 is a vulnerability in the glenwpcoder Drag and Drop Multiple File Upload plugin for Contact Form 7 that permits limited upload of dangerous file types (.phar and .svg) due to insufficient validation. Attackers can upload malicious .phar files potentially leading to remote code execution if the server executes these files as PHP. Additionally, uploading .svg files may enable stored cross-site scripting attacks. The vulnerability affects all versions up to and including 1.3.9.2. The CVSS 3.1 base score is 6.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low confidentiality and integrity impacts.
Potential Impact
An attacker can upload malicious .phar files that may be executed as PHP code on the server, leading to remote code execution if server configuration allows. Uploading .svg files can result in stored cross-site scripting attacks, potentially compromising users interacting with the affected site. The vulnerability requires no privileges but does require user interaction. The overall impact is medium severity with potential confidentiality and integrity impacts.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict or disable file uploads in the plugin, especially for .phar and .svg file types. Implement server-side controls to prevent execution of .phar files as PHP. Monitor for plugin updates from the vendor that address this vulnerability.
CVE-2025-14842: CWE-434 Unrestricted Upload of File with Dangerous Type in glenwpcoder Drag and Drop Multiple File Upload for Contact Form 7
Description
The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited upload of files with a dangerous type in all versions up to, and including, 1.3.9.2. This is due to the plugin not blocking .phar and .svg files. This makes it possible for unauthenticated attackers to upload arbitrary .phar or .svg files containing malicious PHP or JavaScript code. Malicious PHP code can be used to achieve remote code execution on the server via direct file access, if the server is configured to execute .phar files as PHP. The upload of .svg files allows for Stored Cross-Site Scripting under certain circumstances.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-14842 is a vulnerability in the glenwpcoder Drag and Drop Multiple File Upload plugin for Contact Form 7 that permits limited upload of dangerous file types (.phar and .svg) due to insufficient validation. Attackers can upload malicious .phar files potentially leading to remote code execution if the server executes these files as PHP. Additionally, uploading .svg files may enable stored cross-site scripting attacks. The vulnerability affects all versions up to and including 1.3.9.2. The CVSS 3.1 base score is 6.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low confidentiality and integrity impacts.
Potential Impact
An attacker can upload malicious .phar files that may be executed as PHP code on the server, leading to remote code execution if server configuration allows. Uploading .svg files can result in stored cross-site scripting attacks, potentially compromising users interacting with the affected site. The vulnerability requires no privileges but does require user interaction. The overall impact is medium severity with potential confidentiality and integrity impacts.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict or disable file uploads in the plugin, especially for .phar and .svg file types. Implement server-side controls to prevent execution of .phar files as PHP. Monitor for plugin updates from the vendor that address this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-17T17:58:42.026Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 695e0293a55ed4ed9984d532
Added to database: 1/7/2026, 6:52:03 AM
Last enriched: 4/9/2026, 9:53:38 AM
Last updated: 5/7/2026, 9:47:32 AM
Views: 149
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.