CVE-2025-1028: 
WordPress vulnerability analysis and mitigation

The Contact Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the contact form upload feature in all versions up to, and including, 8.6.4. This vulnerability was discovered and disclosed on February 4, 2025 (NVD).

The vulnerability stems from missing file type validation in the contact form upload functionality. This security flaw allows unauthenticated attackers to upload arbitrary files to the affected site's server. The exploitation requires successfully exploiting a race condition, and remote code execution is possible in specific configurations where the first extension is processed over the final. The vulnerability has been assigned a CVSS v3.1 Base Score of 8.1 HIGH with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, this vulnerability could allow attackers to upload malicious files to the server, potentially leading to remote code execution in specific configurations. This could result in complete compromise of the affected WordPress site, allowing attackers to execute arbitrary code, access sensitive data, and potentially gain full control of the website (NVD).

The vulnerability has been fixed in version 8.6.5 of the Contact Manager plugin. Site administrators are strongly advised to update to this version immediately. The update includes improvements to the security of uploads functionality (WordPress Plugin).