CVE-2025-3515: 
WordPress vulnerability analysis and mitigation

The Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin contains an arbitrary file upload vulnerability (CVE-2025-3515) discovered and disclosed on June 17, 2025. The vulnerability affects all versions up to and including 1.3.8.9, due to insufficient file type validation in the plugin's upload functionality (NVD, Wiz).

The vulnerability exists due to inadequate file type validation in the plugin's upload functionality. This security flaw allows unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types to the affected site's server. The issue is particularly concerning on servers configured to handle .phar files as executable PHP scripts, especially in default Apache+mod_php configurations where file extension validation is not strictly enforced before being passed to the PHP interpreter. The vulnerability has been assigned a CVSS v3.1 score of 8.1 HIGH (Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

If exploited, this vulnerability could lead to remote code execution on affected servers, particularly those with default Apache+mod_php configurations. This could allow attackers to execute arbitrary code, potentially leading to complete server compromise (Wiz).

The vulnerability has been patched in version 1.3.9.0 of the plugin. The update includes security fixes specifically addressing the PHAR file upload issue and improves the file type validation mechanism. Users are strongly advised to update to this version immediately (WordPress Changeset).