CVE-2025-6220: 
WordPress vulnerability analysis and mitigation

The Ultra Addons for Contact Form 7 plugin for WordPress contains an arbitrary file upload vulnerability (CVE-2025-6220) in versions up to and including 3.5.12. The vulnerability exists in the 'save_options' function due to missing file type validation, which allows authenticated attackers with Administrator-level access to upload arbitrary files to the server's /wp-content/uploads/itinerary-fonts/ directory (NVD). The vulnerability was discovered and reported by Ryan Kozak, and was assigned a CVSS v3.1 score of 7.2 (HIGH) (Wiz).

The vulnerability exists in the uacf7optionssave functionality within /wp-content/plugins/ultimate-addons-for-contact-form-7/admin/tf-options/classes/UACF7Settings.php. The vulnerable code in lines 894-920 of the saveoptions() function only validates uploaded files against a generic MIME type 'application/octet-stream' without proper file type restrictions. The uploaded files are stored in a web-accessible directory (/wp-content/uploads/itinerary-fonts/), making them directly accessible through the web browser (GitHub, Ryan Blog).

Successful exploitation of this vulnerability could allow an authenticated attacker with administrator privileges to upload arbitrary files to the server, potentially leading to remote code execution. The uploaded files are stored in a web-accessible directory, making them directly accessible through the web browser (GitHub).

The vulnerability has been patched in version 3.5.13 of the plugin. The update implements proper file type validation by restricting uploads to specific font file extensions (ttf, otf, woff, woff2) and their corresponding MIME types (WordPress Changeset). Users are strongly advised to update to the latest version immediately.