CVE-2022-3282: 
WordPress vulnerability analysis and mitigation

The Drag and Drop Multiple File Upload WordPress plugin before version 1.3.6.5 contains a security vulnerability identified as CVE-2022-3282. The vulnerability was discovered by Sanjay Das and publicly disclosed on September 26, 2022. This vulnerability affects the file upload size limit functionality in the WordPress plugin drag-and-drop-multiple-file-upload-contact-form-7 (WPScan).

The vulnerability stems from improper validation of upload size limits in forms. The plugin fails to properly enforce the upload size limit set by administrators, instead accepting the value from user input during form submission. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The weakness is categorized as CWE-639 (Authorization Bypass Through User-Controlled Key) (NVD).

The vulnerability allows attackers to bypass file size restrictions set by administrators in the contact form. This could potentially lead to the upload of larger files than intended, possibly causing storage issues or being used as part of a larger attack strategy (WPScan).

The vulnerability has been fixed in version 1.3.6.5 of the plugin. Users are advised to update to this version or later to protect against this security issue (WPScan).