CVE-2025-14457
Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.2 - Missing Authorization to Unauthenticated File DeletionThe Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.9.2. This makes it possible for unauthenticated attackers to delete arbitrary uploaded files when the "Send attachments as links" setting is enabled.
We have discovered 13,214 live websites that are affected by CVE-2025-14457.
Affected Software
| Product |  Drag And Drop Multiple File Upload Contact Form 7 |
| Category | Wordpress Plugins |
| Vulnerable Domains | 13,214 live websites (73% of Drag And Drop Multiple File Upload Contact Form 7 install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 55 versions ( 95% of all versions) |
Common Weakness Enumeration
CWE-862 Missing AuthorizationDetails
- Published - Jan 15, 2026
- Updated - Jan 15, 2026
Credits
- Angus Girvan (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-14457 United States | 2,294 websites |
 Germany | 2,653 websites |
 Russia | 719 websites |
 France | 660 websites |
 GB | 594 websites |
 Japan | 583 websites |
 Italy | 557 websites |
 Poland | 527 websites |
 Netherlands | 377 websites |
 Spain | 312 websites |
Website Distribution by TLD
Number of websites using CVE-2025-14457| .com | 3,815 websites |
| .de | 2,022 websites |
| .ru | 580 websites |
| .co.uk | 441 websites |
| .it | 408 websites |
| .pl | 373 websites |
| .nl | 356 websites |
| .fr | 327 websites |
| .org | 324 websites |
| .com.au | 239 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-14457
Top websites that are affected by CVE-2025-14457. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********************.com | United States | **,*** | |
| ****.hr |  Croatia | **,*** | |
| ******.pt |  Portugal | **,*** | |
| *******.org | France | **,*** | |
| **********************.**.uk | GB | **,*** | |
| **********.ro |  Romania | **,*** | |
| **.***.pl | Poland | **,*** | |
| **************.com | United States | **,*** | |
| ***********.**.jp | Japan | **,*** | |
| ****************.com | United States | **,*** |
FAQ
CVE-2025-14457 is Missing Authorization in Drag And Drop Multiple File Upload Contact Form 7
A total of 13,214 websites have been identified as vulnerable to CVE-2025-14457, based on global website indexing conducted by WebTechSurvey.
The Drag And Drop Multiple File Upload Contact Form 7 is affected by the CVE-2025-14457 vulnerability.
Drag And Drop Multiple File Upload Contact Form 7 versions up to and including 1.3.9.2 are vulnerable to CVE-2025-14457.