CVE-2025-14457 LOW

CVE-2025-14457: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.2 - Missing Authorization to Unauthenticated File Deletion

Vendor Glenwpcoder
Product Drag and Drop Multiple File Upload for Contact Form 7
Weakness CWE-862 · Missing authorization
Published January 15, 2026
Last update April 8, 2026

CVSS base score

3.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.9.2. This makes it possible for unauthenticated attackers to delete arbitrary uploaded files when the "Send attachments as links" setting is enabled.

Explanation of Vulnerability in Simple Terms

02Summary

The Drag and Drop Multiple File Upload for Contact Form 7 plugin through version 1.3.9.2 lacks proper authorization checks on file upload functionality. An attacker without authentication can upload files to the site, potentially modifying content or injecting malicious files. The attack requires specific conditions to succeed but does not require user interaction.

What an attacker can do

03Attacker Capabilities

Upload files to the site without authentication or permission.

Potential impact on your site

04Site Impact

Unauthorized file uploads could introduce malicious content or modify site files.

Conditions required to exploit

05Prerequisites

Network access to the site; specific attack conditions must be met (high complexity).

Key dates

06Disclosure timeline

January 15, 2026 CVE published
April 8, 2026 Record updated