216.73.216.174

CVE-2025-14842

· Published 07/01/2026 12:16 · Modified 08/01/2026 18:08

Labels: CVE-2025-14842 2026-01-07CVE-2025-14842CWE-434[email protected]

Essential information

Published
07/01/2026 12:16
Modified
08/01/2026 18:08
Author
Creator
CVSS
6.1 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS metrics

Description

The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited upload of files with a dangerous type in all versions up to, and including, 1.3.9.2. This is due to the plugin not blocking .phar and .svg files. This makes it possible for unauthenticated attackers to upload arbitrary .phar or .svg files containing malicious PHP or JavaScript code. Malicious PHP code can be used to achieve remote code execution on the server via direct file access, if the server is configured to execute .phar files as PHP. The upload of .svg files allows for Stored Cross-Site Scripting under certain circumstances.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
wordpress / drag and drop multiple file upload contact form 7 cpe:2.3:a:wordpress:drag_and_drop_multiple_file_upload_contact_form_7:1.3.9.2:*:*:*:*:wordpress:*:*
wordpress / wordpress cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:wordpress:*:*

References