CVE-2025-8464: CWE-23 Relative Path Traversal in glenwpcoder Drag and Drop Multiple File Upload for Contact Form 7
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.3.9.0 via the wpcf7_guest_user_id cookie. This makes it possible for unauthenticated attackers to upload and delete files outside of the originally intended directory. The impact of this vulnerability is limited, as file types are validated and only safe ones can be uploaded, while deletion is limited to the plugin's uploads folder.
AI Analysis
Technical Summary
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress suffers from a CWE-23 relative path traversal vulnerability in all versions up to and including 1.3.9.0. This vulnerability is exploitable through the wpcf7_guest_user_id cookie, enabling unauthenticated attackers to upload and delete files outside the intended directory. Despite this, file upload types are validated to allow only safe files, and deletion capabilities are limited to the plugin's uploads folder, which restricts the overall impact.
Potential Impact
An unauthenticated attacker can upload and delete files outside the plugin's intended directory. However, the impact is limited because only validated safe file types can be uploaded, and file deletion is confined to the plugin's uploads folder. There is no direct confidentiality or availability impact reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, users should consider disabling the plugin or restricting access to mitigate potential exploitation.
CVE-2025-8464: CWE-23 Relative Path Traversal in glenwpcoder Drag and Drop Multiple File Upload for Contact Form 7
Description
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.3.9.0 via the wpcf7_guest_user_id cookie. This makes it possible for unauthenticated attackers to upload and delete files outside of the originally intended directory. The impact of this vulnerability is limited, as file types are validated and only safe ones can be uploaded, while deletion is limited to the plugin's uploads folder.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress suffers from a CWE-23 relative path traversal vulnerability in all versions up to and including 1.3.9.0. This vulnerability is exploitable through the wpcf7_guest_user_id cookie, enabling unauthenticated attackers to upload and delete files outside the intended directory. Despite this, file upload types are validated to allow only safe files, and deletion capabilities are limited to the plugin's uploads folder, which restricts the overall impact.
Potential Impact
An unauthenticated attacker can upload and delete files outside the plugin's intended directory. However, the impact is limited because only validated safe file types can be uploaded, and file deletion is confined to the plugin's uploads folder. There is no direct confidentiality or availability impact reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, users should consider disabling the plugin or restricting access to mitigate potential exploitation.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-08-01T15:47:19.302Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68a0341fad5a09ad007601d4
Added to database: 8/16/2025, 7:32:47 AM
Last enriched: 4/9/2026, 9:46:38 PM
Last updated: 5/10/2026, 2:23:42 AM
Views: 177
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.