CVE-2025-8464: 
WordPress vulnerability analysis and mitigation

The Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin contains a Directory Traversal vulnerability in versions up to and including 1.3.9.0. The vulnerability is tracked as CVE-2025-8464 and was discovered on August 16, 2025. The issue allows unauthenticated attackers to upload and delete files outside of the intended directory via the wpcf7guestuser_id cookie (NVD, AttackerKB).

The vulnerability exists due to improper validation of the wpcf7guestuser_id cookie which can be manipulated to perform directory traversal attacks. The impact is partially mitigated as file types are validated and only safe ones can be uploaded, while deletion is limited to the plugin's uploads folder. The vulnerability has a CVSS v3.1 base score of 5.3 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) (Wordfence).

The vulnerability allows unauthenticated attackers to upload files to and delete files from directories outside of the intended upload directory. However, the impact is limited since the plugin validates file types to ensure only safe files can be uploaded, and file deletion is restricted to the plugin's uploads folder (NVD).

The vulnerability has been patched in version 1.3.9.1 of the plugin. Site administrators should update to this version immediately. The update includes security fixes related to cookie handling and directory traversal prevention (WordPress Plugin).