CVE-2025-8464: 
WordPress vulnerability analysis and mitigation

The Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin (versions up to and including 1.3.9.0) contains a Directory Traversal vulnerability that can be exploited via the wpcf7guestuser_id cookie. This vulnerability was discovered and disclosed on August 15, 2025, and is tracked as CVE-2025-8464. The vulnerability allows unauthenticated attackers to upload and delete files outside of the intended directory (NVD).

The vulnerability is classified as a Relative Path Traversal (CWE-23) with a CVSS v3.1 Base Score of 5.3 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The impact of this vulnerability is limited since file types are validated and only safe ones can be uploaded, while deletion is restricted to the plugin's uploads folder (Wordfence).

The vulnerability allows attackers to manipulate file upload and deletion operations outside the intended directory structure. However, the impact is somewhat mitigated by built-in security controls that validate file types and restrict deletion operations to the plugin's uploads folder (NVD).

Website administrators running affected versions of the Drag and Drop Multiple File Upload for Contact Form 7 plugin should update to a patched version when available. In the meantime, careful monitoring of file upload activities and implementing additional security controls at the web application firewall level may help mitigate the risk (NVD).