CVE-2023-1282

Summary

The Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard WordPress plugin before 2.11.1 and Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations WordPress plugin before 5.0.6.4 do not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins.

Affected Software

VendorProductVersion RangeStatus
UnknownDrag and Drop Multiple File Upload PRO - Contact Form 7 Standard2.0.0 < 2.11.1affected
UnknownDrag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations5.0.0.0 < 5.0.6.4affected

Weaknesses

  • CWE-79 Cross-Site Scripting (XSS)

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References