CVE-2025-8464 is a directory traversal vulnerability (CWE-23) affecting the WordPress plugin 'Drag and Drop Multiple File Upload for Contact Form 7' developed by glenwpcoder. This vulnerability exists in all versions up to and including 1.3.9.0 and is exploitable via the wpcf7_guest_user_id cookie. An unauthenticated attacker can leverage this flaw to upload and delete files outside the intended upload directory. The vulnerability arises because the plugin insufficiently sanitizes or validates the path input derived from the cookie, allowing traversal sequences (e.g., '../') to escape the designated directory boundaries. However, the impact is somewhat limited because the plugin enforces file type validation, restricting uploads to safe file types, which reduces the risk of arbitrary code execution or deployment of malicious payloads. Additionally, deletion capabilities are confined to the plugin's upload folder, preventing broader file system deletion. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based, requires no privileges or user interaction, and impacts integrity but not confidentiality or availability. No known exploits are currently in the wild, and no patches have been linked yet. This vulnerability could be exploited to manipulate plugin files, potentially disrupting plugin functionality or enabling further attacks if combined with other vulnerabilities.

For European organizations using WordPress sites with the vulnerable 'Drag and Drop Multiple File Upload for Contact Form 7' plugin, this vulnerability poses a moderate risk. While the inability to upload arbitrary file types limits direct malware deployment, attackers could still manipulate or delete files within the plugin's upload directory, potentially causing denial of service or disrupting form submission functionalities. This could affect business operations relying on contact forms for customer interaction or lead to reputational damage if forms become non-functional. Additionally, if combined with other vulnerabilities or misconfigurations, attackers might escalate the impact. Given the widespread use of WordPress across Europe, organizations with outdated plugin versions are at risk. The vulnerability's unauthenticated nature increases exposure, as attackers do not need valid credentials. However, the limited scope of file deletion and upload restrictions reduce the likelihood of severe data breaches or system compromise solely from this flaw.

European organizations should immediately audit their WordPress installations for the presence of the 'Drag and Drop Multiple File Upload for Contact Form 7' plugin and verify the version in use. Until an official patch is released, organizations can mitigate risk by disabling or removing the plugin, especially on publicly accessible sites. Implementing web application firewall (WAF) rules to detect and block suspicious cookie values containing directory traversal patterns (e.g., '../') can help prevent exploitation attempts. Additionally, restricting write permissions on the plugin's upload directories to the minimum necessary can limit the impact of unauthorized file operations. Monitoring web server logs for unusual file upload or deletion activities related to the plugin's directories is recommended to detect potential exploitation. Organizations should also maintain regular backups of website files to enable recovery in case of malicious file deletions. Finally, once a patch is available, prompt application of the update is essential to fully remediate the vulnerability.