CVE-2025-14457

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.9.2. This makes it possible for unauthenticated attackers to delete arbitrary uploaded files when the "Send attachments as links" setting is enabled.

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/changeset/3428236/drag-and-drop-multiple-file-upload-contact-form-7	Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/1a182243-b24a-4c46-8b65-6b38d8509a51?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:codedropz:contact_form_7:*:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2026-01-15 07:16

Updated : 2026-01-23 15:56

NVD link : CVE-2025-14457

Mitre link : CVE-2025-14457

CVE.ORG link : CVE-2025-14457

JSON object : View

Products Affected

codedropz

contact_form_7

CWE

CWE-862

Missing Authorization

{"id": "CVE-2025-14457", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 2.2}]}, "published": "2026-01-15T07:16:02.717", "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3428236/drag-and-drop-multiple-file-upload-contact-form-7", "tags": ["Patch"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a182243-b24a-4c46-8b65-6b38d8509a51?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.9.2. This makes it possible for unauthenticated attackers to delete arbitrary uploaded files when the \"Send attachments as links\" setting is enabled."}], "lastModified": "2026-01-23T15:56:08.487", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:codedropz:contact_form_7:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "A87B11D3-795F-4D07-8A35-54457518896C", "versionEndIncluding": "1.3.9.2"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}