CVE-2025-6220

High CVSS: 7.2

The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions up to, and including, 3.5.12. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Vendor

Themefic

Product

Ultimate Addons For Contact Form 7

CWE

CWE-434

Yayın Tarihi

2025-06-18 12:15:19

Güncelleme

2025-07-09 18:49:50

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-434 Ultimate Addons For Contact Form 7 HIGH Themefic 2025

Referanslar

https://github.com/d0n601/CVE-2025-6220 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-contact-form-7/trunk/admin/tf-options/classes/UACF7_Settings.php#L894-920 https://plugins.trac.wordpress.org/changeset/3288584/ https://ryankozak.com/posts/cve-2025-6220/ https://www.wordfence.com/threat-intel/vulnerabilities/id/697f3432-63b7-42d6-b188-812165cd2020?source=cve

Benzer Kayıtlar

Medium

CVE-2025-6756

The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's U…

High

CVE-2025-6212

The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Database m…

High

CVE-2025-47549

Unrestricted Upload of File with Dangerous Type vulnerability in Themefic BEAF beaf-before-and-after-gallery allows Uplo…

High

CVE-2025-47550

Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Instantio instantio allows Upload a Web Shell…

Unknown

CVE-2025-24650

Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Tourfic tourfic allows Upload a Web Shell to a…