CVE-2025-3515

HIGH EXPLOITED NUCLEI LAB

Contact Form 7 <= 1.3.8.9 - Unauthenticated Arbitrary File Upload

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-3515 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 5 public exploits from researchers including fuckyourheroes, brokendreamsclub, ImBIOS. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-3515, a file upload vulnerability in the 'Drag and Drop Multiple File Upload for Contact Form 7' WordPress plugin. The exploit demonstrates unauthenticated remote code execution by uploading malicious files with extensions like .phar, .php5, and .inc, which are not properly blacklisted by the plugin.

Description

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types on the affected site's server, which may make remote code execution possible on the servers that are configured to handle .phar files as executable PHP scripts, particularly in default Apache+mod_php configurations where the file extension is not strictly validated before being passed to the PHP interpreter.

Exploits (5)

nomisec WORKING POC 17 stars
by fuckyourheroes · poc
https://github.com/fuckyourheroes/CVE-2025-3515

This repository contains a functional exploit for CVE-2025-3515, a file upload vulnerability in the 'Drag and Drop Multiple File Upload for Contact Form 7' WordPress plugin. The exploit demonstrates unauthenticated remote code execution by uploading malicious files with extensions like .phar, .php5, and .inc, which are not properly blacklisted by the plugin.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin ≤ 1.3.8.9
No auth needed
Prerequisites: Target must have the vulnerable plugin installed · Contact Form 7 with file upload functionality must be present
devstral-2 · analyzed May 03, 2026 Full analysis →
nomisec WORKING POC 17 stars
by brokendreamsclub · poc
https://github.com/brokendreamsclub/CVE-2025-3515

This repository contains a Python-based exploit for CVE-2025-3515, targeting a file upload vulnerability in the 'Drag and Drop Multiple File Upload for Contact Form 7' WordPress plugin. The exploit automates detection, form identification, and webshell upload using bypass extensions like .phar and .php5.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress plugin 'drag-and-drop-multiple-file-upload-contact-form-7' (≤ 1.3.8.9)
No auth needed
Prerequisites: Target running vulnerable plugin version · Accessible admin-ajax.php endpoint · Contact Form 7 with file upload field
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by ImBIOS · poc
https://github.com/ImBIOS/lab-cve-2025-3515

This repository provides a Dockerized WordPress lab to reproduce CVE-2025-3515, an arbitrary file upload vulnerability in the 'drag-and-drop-multiple-file-upload-contact-form-7' plugin (≤ 1.3.8.9). It includes a Nuclei template to exploit the vulnerability via the `/wp-admin/admin-ajax.php?action=ddmu_upload_file` endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress plugin 'drag-and-drop-multiple-file-upload-contact-form-7' v1.3.8.9
Auth required
Prerequisites: Docker environment · WordPress with vulnerable plugin installed · Admin credentials for WordPress
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Professor6T9 · remote
https://github.com/Professor6T9/CVE-2025-3515

This repository contains a Python-based exploit for CVE-2025-3515, targeting arbitrary file upload in the 'Drag and Drop Multiple File Upload for Contact Form 7' WordPress plugin. The exploit uploads a malicious PHP shell via an unauthenticated AJAX endpoint, leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Drag and Drop Multiple File Upload for Contact Form 7 ≤1.3.8.9
No auth needed
Prerequisites: Target must have the vulnerable plugin installed · WordPress site must be accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/blueisbeautiful/CVE-2025-3515

This repository contains a functional exploit for CVE-2025-3515, a file upload vulnerability in the 'Drag and Drop Multiple File Upload for Contact Form 7' WordPress plugin. The exploit demonstrates unauthenticated remote code execution by uploading malicious files with extensions like .phar and .php5, which are not blacklisted by the plugin.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin (≤ 1.3.8.9)
No auth needed
Prerequisites: Target must have the vulnerable plugin installed · Contact Form 7 with file upload functionality must be present
devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

Contact Form 7 Drag and Drop Multiple File Upload - Arbitrary File Upload
HIGHVERIFIEDby hnd3884

References (3)

Core 3

Scores

CVSS v3 8.1
EPSS 0.0370
EPSS Percentile 88.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull wordpress:6.6.2-php8.2-apache
docker pull wordpress:cli-php8.2
+2 more repos

Details

VulnCheck KEV 2025-06-17
CWE
CWE-434
Status published
Products (2)
codedropz/drag_and_drop_multiple_file_upload_-_contact_form_7 < 1.3.9.0
glenwpcoder/Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.8.9
Published Jun 17, 2025
Tracked Since Feb 18, 2026