A critical arbitrary file upload vulnerability in The Drag and Drop Multiple File Upload WordPress plugin allows an unauthenticated attacker to execute arbitrary code, leading to a complete compromise of the affected website.

The plugin is vulnerable to arbitrary file uploads due to missing file type validation in the dnd_upload_cf7_upload_chunks() function. This allows a remote, unauthenticated attacker to upload a malicious file, such as a web shell, to the server, resulting in remote code execution.

Successful exploitation of this vulnerability could allow an attacker to achieve complete control over the affected web server. This can lead to the theft of sensitive data, website defacement, installation of malware, or using the compromised server to launch further attacks. The assigned CVSS score of 9.8 (Critical) underscores the extreme risk this vulnerability poses to the confidentiality, integrity, and availability of the system.

Immediate Action: Immediately update The Drag and Drop Multiple File Upload plugin to the latest version provided by the vendor to patch this vulnerability.

Proactive Monitoring: Review web server access logs for suspicious POST requests and monitor the file system for any unauthorized or unexpected files in web-accessible directories.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rulesets that inspect and block malicious file uploads to act as a virtual patch.

Public Exploit Available: Not specified.

Given the critical severity (CVSS 9.8) and the fact that an unauthenticated attacker can exploit this flaw, immediate action is paramount. We strongly recommend applying the vendor-supplied update without delay to prevent a full system compromise. All internet-facing WordPress sites utilizing this plugin should be considered at high risk and prioritized for patching.