CVE-2025-8464 is a directory traversal vulnerability classified under CWE-23 that affects the Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress. This vulnerability exists in all versions up to and including 1.3.9.0 and is exploitable via the wpcf7_guest_user_id cookie. An unauthenticated attacker can manipulate this cookie to perform directory traversal attacks, enabling them to upload files outside the intended upload directory and delete files within the plugin's upload folder. The plugin enforces file type validation, restricting uploads to safe file types, which limits the potential for arbitrary code execution or uploading malicious scripts. Additionally, deletion capabilities are confined to the plugin's upload directory, reducing the risk of broader file system damage. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The CVSS v3.1 base score is 5.3, reflecting a medium severity due to the limited impact on confidentiality and availability, but a partial impact on integrity. No public exploits have been reported yet, but the vulnerability poses a risk to websites using this plugin, especially those that rely on Contact Form 7 for file uploads. The lack of available patches at the time of publication necessitates immediate attention from administrators.

The primary impact of CVE-2025-8464 is unauthorized modification of files related to the plugin's upload directory, which can affect the integrity of website content and potentially disrupt normal operations of the plugin. Although the vulnerability does not allow attackers to upload arbitrary file types, the ability to upload and delete files outside the intended directory could be leveraged to replace legitimate files or remove critical plugin files, potentially leading to denial of service or degraded functionality. Since the vulnerability does not affect confidentiality or availability directly, the risk is moderate but still significant for website integrity. Exploitation could facilitate further attacks if combined with other vulnerabilities or misconfigurations. Organizations relying on this plugin for handling user uploads may face reputational damage and operational issues if exploited. The lack of authentication and user interaction requirements increases the risk of automated exploitation attempts.

To mitigate CVE-2025-8464, organizations should first check for and apply any official patches or updates released by the plugin vendor once available. Until a patch is released, administrators should consider disabling the Drag and Drop Multiple File Upload feature or the entire plugin if feasible. Implementing strict web application firewall (WAF) rules to monitor and block suspicious requests involving the wpcf7_guest_user_id cookie can help prevent exploitation attempts. Additionally, restricting file system permissions to limit write and delete access only to necessary directories can reduce the impact of unauthorized file operations. Regularly auditing uploaded files and plugin directories for unexpected changes is recommended. Employing security plugins that monitor file integrity and alert on unauthorized modifications can provide early detection. Finally, educating site administrators about this vulnerability and encouraging prompt response to suspicious activity is critical.