Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard < 2.11.0 - Path Traversal

The plugin does not properly check the value of the input “upload_dir”, which is modifiable by the user. As a result, by changing the value of this input, it’s possible to upload a file anywhere writable in the webserver.

PoC

1. Create a contact form and add a “multiple file upload” field. 2. Add the contact form to a page using the contact-form-7 shortcode. 3. Visit the page on the frontend and drag a file into the upload section. 4. Intercept the request and append /../.. to the upload_dir parameter. 5. See that the file is uploaded outside of the wpcf7_drag-n-drop_uploads directory.