CVE-2025-5746: CWE-434 Unrestricted Upload of File with Dangerous Type in CodeDropz Drag and Drop Multiple File Upload (Pro) - WooCommerce
The Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dnd_upload_cf7_upload_chunks() function in version 5.0 - 5.0.5 (when bundled with the PrintSpace theme) and all versions up to, and including, 1.7.1 (in the standalone version). This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The execution of PHP is disabled via a .htaccess file but is still possible in certain server configurations. CVE-2025-49885 may be a duplicate of this.
AI Analysis
Technical Summary
CVE-2025-5746 is a critical vulnerability in the CodeDropz Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress. The issue arises from the dnd_upload_cf7_upload_chunks() function lacking proper file type validation, enabling unauthenticated attackers to upload arbitrary files to the affected server. Although PHP execution is generally disabled via .htaccess, some server configurations may still allow remote code execution. The vulnerability affects versions 5.0 to 5.0.5 when bundled with the PrintSpace theme and all standalone versions up to 1.7.1. No official patch or remediation link is provided in the data, and no known exploits are reported in the wild as of the publication date.
Potential Impact
Successful exploitation allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution depending on server configuration. This can compromise confidentiality, integrity, and availability of the affected system. The CVSS score of 9.8 reflects the high impact and ease of exploitation over the network without privileges or user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or removing the vulnerable plugin versions or restricting file upload capabilities via server-level controls. Review and harden server configurations to ensure PHP execution is effectively disabled in upload directories.
CVE-2025-5746: CWE-434 Unrestricted Upload of File with Dangerous Type in CodeDropz Drag and Drop Multiple File Upload (Pro) - WooCommerce
Description
The Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dnd_upload_cf7_upload_chunks() function in version 5.0 - 5.0.5 (when bundled with the PrintSpace theme) and all versions up to, and including, 1.7.1 (in the standalone version). This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The execution of PHP is disabled via a .htaccess file but is still possible in certain server configurations. CVE-2025-49885 may be a duplicate of this.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-5746 is a critical vulnerability in the CodeDropz Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress. The issue arises from the dnd_upload_cf7_upload_chunks() function lacking proper file type validation, enabling unauthenticated attackers to upload arbitrary files to the affected server. Although PHP execution is generally disabled via .htaccess, some server configurations may still allow remote code execution. The vulnerability affects versions 5.0 to 5.0.5 when bundled with the PrintSpace theme and all standalone versions up to 1.7.1. No official patch or remediation link is provided in the data, and no known exploits are reported in the wild as of the publication date.
Potential Impact
Successful exploitation allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution depending on server configuration. This can compromise confidentiality, integrity, and availability of the affected system. The CVSS score of 9.8 reflects the high impact and ease of exploitation over the network without privileges or user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or removing the vulnerable plugin versions or restricting file upload capabilities via server-level controls. Review and harden server configurations to ensure PHP execution is effectively disabled in upload directories.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-06-05T20:22:57.965Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6864b0fa6f40f0eb7291718c
Added to database: 7/2/2025, 4:09:30 AM
Last enriched: 4/9/2026, 5:37:16 PM
Last updated: 5/10/2026, 12:31:06 PM
Views: 212
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.