Search criteria
4 vulnerabilities found for Drag and Drop Multiple File Upload – Contact Form 7 by Unknown
CVE-2022-3282 (GCVE-0-2022-3282)
Vulnerability from cvelistv5 – Published: 2022-10-17 00:00 – Updated: 2025-05-13 15:47
VLAI?
Summary
The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form.
Severity ?
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Drag and Drop Multiple File Upload – Contact Form 7 |
Affected:
1.3.6.5 , < 1.3.6.5
(custom)
|
Credits
Sanjay Das
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.479Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/035dffef-4b4b-4afb-9776-7f6c5e56452c"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3282",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T15:46:54.008807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T15:47:23.226Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Drag and Drop Multiple File Upload \u2013 Contact Form 7",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.3.6.5",
"status": "affected",
"version": "1.3.6.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Sanjay Das"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-17T00:00:00.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"url": "https://wpscan.com/vulnerability/035dffef-4b4b-4afb-9776-7f6c5e56452c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Drag and Drop Multiple File Upload \u003c 1.3.6.5 - File Upload Size Limit Bypass",
"x_generator": "WPScan CVE Generator"
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3282",
"datePublished": "2022-10-17T00:00:00.000Z",
"dateReserved": "2022-09-23T00:00:00.000Z",
"dateUpdated": "2025-05-13T15:47:23.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0595 (GCVE-0-2022-0595)
Vulnerability from cvelistv5 – Published: 2022-03-28 17:22 – Updated: 2024-08-02 23:32
VLAI?
Summary
The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Drag and Drop Multiple File Upload – Contact Form 7 |
Affected:
1.3.6.3 , < 1.3.6.3
(custom)
|
Credits
Brandon James Roldan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:32:46.452Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/1b849957-eaca-47ea-8f84-23a3a98cc8de"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2686614"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Drag and Drop Multiple File Upload \u2013 Contact Form 7",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.3.6.3",
"status": "affected",
"version": "1.3.6.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Brandon James Roldan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-28T17:22:57",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/1b849957-eaca-47ea-8f84-23a3a98cc8de"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2686614"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Drag and Drop Multiple File Upload - Contact Form 7 \u003c 1.3.6.3 - Unauthenticated Stored XSS",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0595",
"STATE": "PUBLIC",
"TITLE": "Drag and Drop Multiple File Upload - Contact Form 7 \u003c 1.3.6.3 - Unauthenticated Stored XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Drag and Drop Multiple File Upload \u2013 Contact Form 7",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.3.6.3",
"version_value": "1.3.6.3"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Brandon James Roldan"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/1b849957-eaca-47ea-8f84-23a3a98cc8de",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/1b849957-eaca-47ea-8f84-23a3a98cc8de"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2686614",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2686614"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0595",
"datePublished": "2022-03-28T17:22:57",
"dateReserved": "2022-02-14T00:00:00",
"dateUpdated": "2024-08-02T23:32:46.452Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3282 (GCVE-0-2022-3282)
Vulnerability from nvd – Published: 2022-10-17 00:00 – Updated: 2025-05-13 15:47
VLAI?
Summary
The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form.
Severity ?
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Drag and Drop Multiple File Upload – Contact Form 7 |
Affected:
1.3.6.5 , < 1.3.6.5
(custom)
|
Credits
Sanjay Das
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.479Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/035dffef-4b4b-4afb-9776-7f6c5e56452c"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3282",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T15:46:54.008807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T15:47:23.226Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Drag and Drop Multiple File Upload \u2013 Contact Form 7",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.3.6.5",
"status": "affected",
"version": "1.3.6.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Sanjay Das"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-17T00:00:00.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"url": "https://wpscan.com/vulnerability/035dffef-4b4b-4afb-9776-7f6c5e56452c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Drag and Drop Multiple File Upload \u003c 1.3.6.5 - File Upload Size Limit Bypass",
"x_generator": "WPScan CVE Generator"
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3282",
"datePublished": "2022-10-17T00:00:00.000Z",
"dateReserved": "2022-09-23T00:00:00.000Z",
"dateUpdated": "2025-05-13T15:47:23.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0595 (GCVE-0-2022-0595)
Vulnerability from nvd – Published: 2022-03-28 17:22 – Updated: 2024-08-02 23:32
VLAI?
Summary
The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Drag and Drop Multiple File Upload – Contact Form 7 |
Affected:
1.3.6.3 , < 1.3.6.3
(custom)
|
Credits
Brandon James Roldan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:32:46.452Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/1b849957-eaca-47ea-8f84-23a3a98cc8de"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2686614"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Drag and Drop Multiple File Upload \u2013 Contact Form 7",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.3.6.3",
"status": "affected",
"version": "1.3.6.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Brandon James Roldan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-28T17:22:57",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/1b849957-eaca-47ea-8f84-23a3a98cc8de"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2686614"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Drag and Drop Multiple File Upload - Contact Form 7 \u003c 1.3.6.3 - Unauthenticated Stored XSS",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0595",
"STATE": "PUBLIC",
"TITLE": "Drag and Drop Multiple File Upload - Contact Form 7 \u003c 1.3.6.3 - Unauthenticated Stored XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Drag and Drop Multiple File Upload \u2013 Contact Form 7",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.3.6.3",
"version_value": "1.3.6.3"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Brandon James Roldan"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/1b849957-eaca-47ea-8f84-23a3a98cc8de",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/1b849957-eaca-47ea-8f84-23a3a98cc8de"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2686614",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2686614"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0595",
"datePublished": "2022-03-28T17:22:57",
"dateReserved": "2022-02-14T00:00:00",
"dateUpdated": "2024-08-02T23:32:46.452Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}