CVE-2025-3515

HIGH EXPLOITED NUCLEI LAB

Codedropz Drag And Drop Multiple File... - Unrestricted File Upload

Title source: rule

Description

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types on the affected site's server, which may make remote code execution possible on the servers that are configured to handle .phar files as executable PHP scripts, particularly in default Apache+mod_php configurations where the file extension is not strictly validated before being passed to the PHP interpreter.

Exploits (4)

nomisec WORKING POC 17 stars
by brokendreamsclub · poc
https://github.com/brokendreamsclub/CVE-2025-3515
nomisec WORKING POC 1 stars
by ImBIOS · poc
https://github.com/ImBIOS/lab-cve-2025-3515
nomisec WORKING POC
by Professor6T9 · remote
https://github.com/Professor6T9/CVE-2025-3515
vulncheck_xdb WORKING POC
remote
https://github.com/blueisbeautiful/CVE-2025-3515

Nuclei Templates (1)

Contact Form 7 Drag and Drop Multiple File Upload - Arbitrary File Upload
HIGHVERIFIEDby hnd3884

References (3)

Scores

CVSS v3 8.1
EPSS 0.0602
EPSS Percentile 90.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull wordpress:6.6.2-php8.2-apache
docker pull wordpress:cli-php8.2
+1 more repos

Details

VulnCheck KEV 2025-06-17
CWE
CWE-434
Status published
Products (2)
codedropz/drag_and_drop_multiple_file_upload_-_contact_form_7 < 1.3.9.0
glenwpcoder/Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.8.9
Published Jun 17, 2025
Tracked Since Feb 18, 2026