CVE-2025-8464 is a directory traversal vulnerability (CWE-23) affecting the WordPress plugin 'Drag and Drop Multiple File Upload for Contact Form 7' developed by glenwpcoder. This vulnerability exists in all versions up to and including 1.3.9.0. The flaw is triggered via the wpcf7_guest_user_id cookie, which is used by the plugin to manage file uploads. An unauthenticated attacker can exploit this vulnerability to upload and delete files outside the intended upload directory. However, the impact is somewhat mitigated by the plugin's file type validation, which restricts uploads to safe file types, and by limiting deletion capabilities to the plugin's uploads folder. The vulnerability does not affect confidentiality or availability directly but impacts integrity by allowing unauthorized modification of files. The CVSS v3.1 score is 5.3 (medium severity), reflecting that the attack vector is network-based, requires no privileges or user interaction, and affects integrity but not confidentiality or availability. No known exploits are currently reported in the wild, and no patches have been published yet. This vulnerability could be leveraged to manipulate website content or potentially facilitate further attacks if combined with other vulnerabilities or misconfigurations in the hosting environment.

For European organizations using WordPress sites with the vulnerable plugin, this vulnerability poses a moderate risk. Attackers could upload or delete files within the plugin's upload directories, potentially defacing websites, injecting malicious scripts, or disrupting normal operations. Although file type validation limits the risk of arbitrary code execution, attackers might still upload web shells disguised as allowed file types or delete critical files related to the plugin's functionality, causing service degradation. This could lead to reputational damage, loss of user trust, and potential compliance issues under regulations like GDPR if personal data integrity is compromised. Organizations with high-traffic or customer-facing WordPress sites are particularly at risk. The unauthenticated nature of the exploit increases the threat level, as no credentials are needed to attempt exploitation. However, the lack of known active exploitation and the limited scope of file deletion reduce the immediate criticality. Still, the vulnerability should be addressed promptly to avoid escalation or chaining with other vulnerabilities.

European organizations should immediately audit their WordPress installations to identify the presence of the 'Drag and Drop Multiple File Upload for Contact Form 7' plugin and verify its version. Until an official patch is released, organizations should consider the following mitigations: 1) Disable or remove the vulnerable plugin if it is not essential. 2) Implement web application firewall (WAF) rules to block suspicious requests containing directory traversal patterns or anomalous cookie values targeting wpcf7_guest_user_id. 3) Restrict file system permissions for the web server user to limit write and delete access strictly to necessary directories, preventing unauthorized file manipulation outside the plugin's scope. 4) Monitor web server logs for unusual upload or deletion activity, especially related to the plugin's upload folders. 5) Employ intrusion detection systems (IDS) to alert on exploitation attempts. 6) Educate site administrators on the risks and ensure timely updates once patches become available. 7) Consider isolating WordPress instances or running them in containerized environments to reduce the blast radius of potential exploitation.