What the vulnerability does
01Description
Unauthenticated Cross Site Scripting (XSS) in Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.9.7 versions.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
What the vulnerability does
Unauthenticated Cross Site Scripting (XSS) in Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.9.7 versions.
Explanation of Vulnerability in Simple Terms
The Drag and Drop Multiple File Upload plugin for Contact Form 7 contains a cross-site scripting (XSS) vulnerability in versions up to 1.3.9.7. An attacker can inject malicious scripts that execute in the browsers of site visitors or administrators. The vulnerability requires user interaction—typically clicking a malicious link—and can affect multiple users across the site.
What an attacker can do
Inject malicious scripts that run in visitors' browsers, potentially stealing session tokens or redirecting users.
Potential impact on your site
Site visitors and admins could be redirected, have sessions hijacked, or see fake login forms injected into your pages.
Conditions required to exploit
Visitor or admin must click a malicious link or visit an attacker-controlled page; no authentication required.
Key dates
External resources
Related vulnerabilities