Get Started

WordPress: Arbitrary File Upload in Ultra Addons for Contact Form 7 Plugin

by the Hossted team
20.06.2025

In the Ultra Addons for Contact Form 7 plugin for WordPress versions up to and including 3.5.12 a high severity vulnerability CVE-2025-6220 was detected. This vulnerability allows authenticated attackers with Administrator-level access and above to upload arbitrary files to the affected site’s server due to missing file type validation in the save_options function, potentially leading to remote code execution. To address this issue, users should upgrade the Ultra Addons for Contact Form 7 plugin to versions 3.5.13 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6220.

Related articles
OSSpedia
OSSpedia 19 Feb 2025 WordPress: Insecure Direct Object Reference in Education Addon for Elementor Plugin Business and Enterprise Solutions CMS WOR
OSSpedia 19 Feb 2025 WordPress: Cross-Site Request Forgery Vulnerability in DeBounce Email Validator Plugin Business and Enterprise Solutions CMS WOR
OSSpedia 19 Feb 2025 WordPress: Unauthorized Access Vulnerability in Raptive Ads Plugin Business and Enterprise Solutions CMS WOR
OSSpedia 11 Mar 2025 WordPress: Stored XSS Vulnerability in Countdown Timer Plugin Business and Enterprise Solutions CMS WOR