CVE-2025-2485: 
WordPress vulnerability analysis and mitigation

The Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin is vulnerable to PHP Object Injection in versions up to and including 1.3.8.7. The vulnerability exists in the 'dnduploadcf7_upload' function via deserialization of untrusted input, allowing attackers to inject PHP Objects through PHAR files (NVD).

The vulnerability stems from unsafe deserialization of untrusted input in the 'dnduploadcf7_upload' function. While no known POP (Property-Oriented Programming) chain is present in the vulnerable software itself, the vulnerability could be exploited if another plugin or theme containing a POP chain is installed. The vulnerability can be exploited by unauthenticated attackers when a form with file upload functionality is present on the site, and requires the Flamingo plugin to be installed and activated (NVD).

The severity of this vulnerability depends on the presence of POP chains in other installed plugins or themes. If a suitable POP chain exists, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute arbitrary code on the target system (NVD).

The vulnerability has been patched in version 1.3.8.8 of the plugin. Users should update to this version immediately to protect their installations (WordPress Plugin Repository).