汇总 codedropz 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
历史漏洞主要涉及 路径处理缺陷与跨站脚本 等问题,部分漏洞可能导致 文件覆盖,并影响 生产负载与软件部署 相关场景。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2025-14457 | The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.9.2. This makes it possible for unauthenticated attackers to delete arbitrary uploaded files when the "Send attachments as links" setting is enabled. | [email protected] | 3.7 | 0.05% | 2026-01-15 | 2026-01-23 |
| CVE-2025-3515 | The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types on the affected site's server, which may make remote code execution possible on the servers that are configured to handle .phar files as executable PHP scripts, | [email protected] | 8.1 | 4.59% | 2025-06-17 | 2025-08-11 |
| CVE-2025-2485 | The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8.7 via deserialization of untrusted input from the 'dnd_upload_cf7_upload' function. This makes it possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on | [email protected] | 7.5 | 1.80% | 2025-03-28 | 2025-08-12 |
| CVE-2025-2328 | The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'dnd_remove_uploaded_files' function in all versions up to, and including, 1.3.8.7. This makes it possible for unauthenticated attackers to add arbitrary file paths (such as ../../../../wp-config.php) to uploaded files on the server, which can easily lead to remote code execution when an Administrator deletes the message. Exploiti | [email protected] | 8.8 | 3.31% | 2025-03-28 | 2025-08-12 |
| CVE-2024-12267 | The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited arbitrary file deletion due to insufficient file path validation in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.8.5. This makes it possible for unauthenticated attackers to delete limited arbitrary files on the server. It is not possible to delete files like wp-config.php that would make RCE possible. | [email protected] | 5.3 | 0.10% | 2025-01-31 | 2025-08-11 |
| CVE-2024-3717 | The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.7.7 via the '/wp-content/uploads/wp_dndcf7_uploads/wpcf7-files' directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via this plugin through a form. | [email protected] | 5.3 | 0.70% | 2024-05-02 | 2026-04-08 |
| CVE-2022-45377 | Unrestricted Upload of File with Dangerous Type vulnerability in Glen Don L. Mongaya Drag and Drop Multiple File Upload for WooCommerce.This issue affects Drag and Drop Multiple File Upload for WooCommerce: from n/a through 1.0.8. | [email protected] | 6.5 | 0.18% | 2023-12-21 | 2026-04-28 |
| CVE-2023-5822 | The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if a user authorized to edit form, which means editor privileges or above, has ad | [email protected] | 8.1 | 4.40% | 2023-11-22 | 2026-04-08 |
| CVE-2023-4821 | The Drag and Drop Multiple File Upload for WooCommerce WordPress plugin before 1.1.1 does not filter all potentially dangerous file extensions. Therefore, an attacker can upload unsafe .shtml or .svg files containing malicious scripts. | [email protected] | 5.4 | 0.11% | 2023-10-16 | 2025-04-23 |
| CVE-2022-45364 | Cross-Site Request Forgery (CSRF) vulnerability in Glen Don L. Mongaya Drag and Drop Multiple File Upload – Contact Form 7 plugin <= 1.3.6.5 versions. | [email protected] | 5.4 | 0.05% | 2023-05-24 | 2024-11-21 |
| CVE-2023-1282 | The Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard WordPress plugin before 2.11.1 and Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations WordPress plugin before 5.0.6.4 do not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins. | [email protected] | 6.1 | 0.31% | 2023-04-17 | 2025-02-06 |
| CVE-2023-1112 | A vulnerability was found in Drag and Drop Multiple File Upload Contact Form 7 5.0.6.1 on WordPress. It has been classified as critical. Affected is an unknown function of the file admin-ajax.php. The manipulation of the argument upload_name leads to relative path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-222072. | [email protected] | 4.7 | 31.80% | 2023-03-01 | 2024-11-21 |
| CVE-2022-3282 | The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form. | [email protected] | 4.3 | 0.12% | 2022-10-17 | 2025-05-13 |
| CVE-2022-0595 | The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue | [email protected] | 5.4 | 5.78% | 2022-03-28 | 2024-11-21 |
| CVE-2020-12800 | The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unrestricted File Upload and remote code execution by setting supported_type to php% and uploading a .php% file. | [email protected] | 9.8 | 93.94% | 2020-06-08 | 2024-11-21 |