Drag and Drop Multiple File Upload Vulnerability – Contact Form 7 – Sensitive Information Exposure – CVE-2024-3717 | WordPress Plugin Vulnerability Report 

Plugin Name: Drag and Drop Multiple File Upload – Contact Form 7

Key Information:

  • Software Type: Plugin
  • Software Slug: drag-and-drop-multiple-file-upload-contact-form-7
  • Software Status: Active
  • Software Author: glenwpcoder
  • Software Downloads: 717,544
  • Active Installs: 60,000
  • Last Updated: May 10, 2024
  • Patched Versions:
  • Affected Versions: <=

Vulnerability Details:

  • Name: Drag and Drop Multiple File Upload – Contact Form 7 <=
  • Title: Sensitive Information Exposure
  • Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE: CVE-2024-3717
  • CVSS Score: 5.3
  • Publicly Published: April 29, 2024
  • Researcher: Tim Coen
  • Description: The plugin is vulnerable to Sensitive Information Exposure through the '/wp-content/uploads/wp_dndcf7_uploads/wpcf7-files' directory, which allows unauthenticated attackers to access sensitive data uploaded via the forms. This vulnerability affects all versions up to and including


The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress has a critical vulnerability in versions up to and including that exposes sensitive user-uploaded data. This vulnerability has been addressed and patched in version

Detailed Overview:

This vulnerability allows unauthorized individuals to access sensitive information stored in a specific directory used by the plugin for storing files uploaded via Contact Form 7. This security lapse was identified by the researcher Tim Coen, highlighting a significant oversight in the protection of uploaded files. The lack of adequate security measures in the directory permissions facilitated potential data breaches, exposing personal and confidential information of users who uploaded files through the forms.

Advice for Users:

  • Immediate Action: Update to version immediately to mitigate the risk associated with this vulnerability.
  • Check for Signs of Vulnerability: Administrators should review their server's directory where files are stored for any unauthorized access or downloads.
  • Alternate Plugins: While the patch rectifies the current vulnerability, users might consider alternative form plugins that have robust security measures for handling file uploads.
  • Stay Updated: Continually ensure that your plugins are updated to the latest versions to protect against known vulnerabilities and enhance functionality.


The swift response by the developers of Drag and Drop Multiple File Upload – Contact Form 7 in releasing a patch underscores the critical need for ongoing vigilance and prompt updates in the realm of WordPress plugin management. Users of the plugin are encouraged to update to version or later to secure their WordPress installations and safeguard user data. Regular updates and proactive security practices are essential for maintaining the integrity and security of any WordPress site.


Detailed Report: 

In the world of WordPress, plugins like Drag and Drop Multiple File Upload – Contact Form 7 empower users with the flexibility to enhance their websites in countless ways. However, this flexibility does not come without risks. A recent vulnerability identified in this popular plugin, cataloged as CVE-2024-3717, has brought to light the critical importance of maintaining up-to-date security measures on your digital platforms. This vulnerability exposes sensitive user-uploaded data to unauthorized access, posing a significant risk to user privacy and data integrity.

Detailed Overview:

The issue was identified by researcher Tim Coen and involves insufficient security protections in the directory used to store files uploaded via Contact Form 7. The vulnerability permitted unauthenticated access to sensitive information, posing risks such as data theft and privacy breaches. With all versions up to and including affected, a significant number of sites were at risk until the release of the patched version, which addresses this oversight by securing the vulnerable directory.

Risks and Potential Impacts:

The exposure of sensitive user data can lead to significant consequences including identity theft, financial fraud, and loss of public trust. For businesses, this can translate into substantial reputational damage and potential legal repercussions if customer information is compromised.

Overview of Previous Vulnerabilities:

Since June 4, 2020, there have been 5 recorded vulnerabilities within this plugin, highlighting the ongoing need for vigilance and regular security audits.


The swift action taken by the developers of Drag and Drop Multiple File Upload – Contact Form 7 in patching this vulnerability underscores the critical need for regular plugin updates. For small business owners managing WordPress sites, it's especially important to stay informed and proactive in updating plugins to protect against vulnerabilities. Regular maintenance and security practices are crucial for safeguarding your online presence and ensuring the integrity of your digital operations.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Drag and Drop Multiple File Upload Vulnerability – Contact Form 7 – Sensitive Information Exposure – CVE-2024-3717 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment