CVE-2023-1112

MEDIUM

Drag and Drop Multiple File Upload Contact Form 7 < 5.0.6.3 - Path Traversal via upload_name Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-1112. PoCs published by Nickguitar.

AI-analyzed exploit summary This PoC demonstrates a path traversal vulnerability in Drag and Drop Multiple File Uploader PRO - Contact Form 7 v5.0.6.1, allowing unauthenticated attackers to upload files to arbitrary writable locations on the server via the `upload_dir` parameter.

Description

A vulnerability was found in Drag and Drop Multiple File Upload Contact Form 7 5.0.6.1 on WordPress. It has been classified as critical. Affected is an unknown function of the file admin-ajax.php. The manipulation of the argument upload_name leads to relative path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-222072.

Exploits (1)

nomisec WORKING POC 24 stars

by Nickguitar · poc

https://github.com/Nickguitar/Drag-and-Drop-Multiple-File-Uploader-PRO-Path-Traversal

View Code ZIP pw:eip

This PoC demonstrates a path traversal vulnerability in Drag and Drop Multiple File Uploader PRO - Contact Form 7 v5.0.6.1, allowing unauthenticated attackers to upload files to arbitrary writable locations on the server via the `upload_dir` parameter.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Drag and Drop Multiple File Uploader PRO - Contact Form 7 v5.0.6.1

No auth needed

Prerequisites: Access to the plugin's file upload endpoint

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory vdb-entry technical-description

https://vuldb.com/?id.222072

Third Party Advisory signature permissions-required

https://vuldb.com/?ctiid.222072

Exploit, Third Party Advisory exploit

https://github.com/Nickguitar/Drag-and-Drop-Multiple-File-Uploader-PRO-Path-Traversal

Scores

CVSS v3 4.7

EPSS 0.0300

EPSS Percentile 85.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-22 CWE-23

Status published

Products (1)

codedropz/drag_and_drop_multiple_file_upload_-_contact_form_7 < 5.0.6.3

Published Mar 01, 2023

Tracked Since Feb 18, 2026