CVE-2025-2328: 
WordPress vulnerability analysis and mitigation

The Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin contains a vulnerability to arbitrary file deletion due to insufficient file path validation in versions up to and including 1.3.8.7. The vulnerability exists in the 'dndremoveuploaded_files' function, which allows unauthenticated attackers to add arbitrary file paths to uploaded files on the server. This can potentially lead to remote code execution when an Administrator deletes the message. The exploitation requires the Flamingo plugin to be installed and activated (NVD).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal). It has received a CVSS v3.1 Base Score of 8.8 HIGH with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue stems from insufficient validation of file paths in the dndremoveuploaded_files function, which allows attackers to manipulate file paths using directory traversal sequences (e.g., ../../../../wp-config.php) (NVD, WordPress Plugin).

The vulnerability can lead to arbitrary file deletion on the server and potentially remote code execution when an administrator deletes a message containing the malicious file path. This could result in website compromise, data loss, or complete system takeover (NVD).

The vulnerability has been patched in version 1.3.8.8 of the plugin. Users should immediately update to this version to protect their installations. The patch implements proper file path validation to prevent directory traversal attacks (WordPress Changeset).