Plugin Name: Drag and Drop Multiple File Upload– Contact Form 7
- Software Type: Plugin
- Software Slug: drag-and-drop-multiple-file-upload-contact-form-7
- Software Status: Active
- Software Author: glenwpcoder
- Software Downloads: 575,808
- Active Installs: 50,000
- Last Updated: November 1, 2023
- Patched Versions: 22.214.171.124
- Affected Versions: <= 126.96.36.199
- Name: Drag and Drop Multiple File Upload - Contact Form 7 <= 188.8.131.52 - Unauthenticated Arbitrary File Upload
- Title: Unauthenticated Arbitrary File Upload
- Type: Unrestricted Upload of File with Dangerous Type
- CVE: CVE-2023-5822
- CVSS Score: 8.1 (High)
- Publicly Published: November 1, 2023
- Researcher: Lana Codes
- Description: The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 184.108.40.206. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if a user authorized to edit form, which means editor privileges or above, has added a 'multiple file upload' form field with '*' acceptable file types.
The Drag and Drop Multiple File Upload- Contact Form 7 plugin for WordPress has a vulnerability in versions up to and including 220.127.116.11 that allows unauthenticated arbitrary file upload. This vulnerability has been patched in version 18.104.22.168.
The Drag and Drop Multiple File Upload - Contact Form 7 plugin contains insufficient validation of uploaded file types in the 'dnd_upload_cf7_upload' function. This makes it possible for unauthenticated remote attackers to upload arbitrary files, including PHP files, to the vulnerable WordPress site. If successfully exploited, this could lead to remote code execution.
This vulnerability was discovered by researcher Lana Codes and allows any user with access to add or edit a form to exploit it by adding a 'multiple file upload' field with '*' acceptable file types. This issue affects all versions up to and including 22.214.171.124. Users are advised to update to version 126.96.36.199, which contains the fix for this vulnerability.
Advice for Users:
- Immediate Action: Update to version 188.8.131.52 or higher as soon as possible.
- Check for Signs of Compromise: Review your file manager for any unexpected files and scan for malware if you find any. Also check for any unexpected behavior or redirects on your site.
- Alternate Plugins: Consider a more secure multiple file upload plugin like Multi File Upload or Multi File Uploader as a precaution.
- Stay Updated: Ensure your WordPress, themes, and plugins are always updated to the latest versions.
The quick response by the developers to patch this severe vulnerability is appreciated. Users should waste no time in updating to the latest version to prevent any compromise of their websites. This serves as an important reminder about the risks of outdated plugins.
Keeping your WordPress website secure should be a top priority – but with the constant stream of plugin updates, it can be easy to let things slip. Unfortunately, that creates an opening for attackers to exploit vulnerabilities in outdated plugins and compromise your site.
That’s exactly what’s happened with the popular Drag and Drop Multiple File Upload Contact Form 7 plugin. This plugin, which has over 50,000 active installs, allows easy multiple file uploads via drag and drop on Contact Form 7 forms. However, versions up to and including 184.108.40.206 contain a severe security flaw enabling unauthenticated arbitrary file uploads (CVE-2023-5822).
This vulnerability, discovered by researcher Lana Codes, is caused by insufficient validation of uploaded file types in the 'dnd_upload_cf7_upload' function. It allows any user with access to add or edit a form to exploit it by adding a 'multiple file upload' field with '*' acceptable file types. Successful exploitation of this vulnerability can allow attackers to upload malicious PHP files and scripts, leading to remote code execution.
If you are running any version up to and including 220.127.116.11, you should immediately update to version 18.104.22.168 which contains the fix. You should also check your files for any unexpected uploads and scan for malware. Considering alternate plugins like Multi File Upload can also help strengthen security.
This is not the first vulnerability found in this plugin. There have been 4 previous vulnerabilities disclosed since June 2020, underscoring the risks of outdated WordPress plugins. As a small business owner on WordPress, you may not have the resources to constantly monitor and update every plugin. But automatic background updates and periodic audits of your plugins can help catch issues early. We also recommend seeking help from a managed service provider specializing in WordPress security.
As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.
Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.