CVE-2022-0595

MEDIUM

Published Mar 28, 20224y ago · Modified Jun 17, 20261w ago

5.4 CVSS 3.1

Medium

Published Mar 28, 2022 4y ago

Last Modified Jun 17, 2026 1w ago

Description

The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue

CVSS Details

Base Score

5.4

Exploitability

2.3

Impact

2.7

Vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction Required

Scope Changed

Confidentiality Low

Integrity Low

Availability None

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status

Public Exploit Known

Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

Vendor	Product	Version	Range
codedropz	drag_and_drop_multiple_file_upload_-_contact_form_7	*	<1.3.6.3

References 2

plugins.trac.wordpress.org https://plugins.trac.wordpress.org/changeset/2686614

PatchThird Party Advisory
wpscan.com https://wpscan.com/vulnerability/1b849957-eaca-47ea-8f84-23a3a98cc8de

ExploitThird Party Advisory

Remediation

plugins.trac.wordpress.org https://plugins.trac.wordpress.org/changeset/2686614

PatchThird Party Advisory