Introduction
Attackers have leveraged file upload flaws in WordPress plugins to gain full control of thousands of sites in 2025. CVE-2025-49387 in the Drag and Drop File Upload for Elementor Forms plugin is a critical example, enabling unauthenticated remote code execution through unrestricted file uploads. This plugin is widely used to extend Elementor forms with file upload features, making its security posture highly relevant for a broad segment of the WordPress ecosystem.
Technical Information
CVE-2025-49387 is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability exists in the Drag and Drop File Upload for Elementor Forms plugin due to insufficient server-side validation of uploaded files. Specifically, the plugin allows users to upload files without enforcing strict checks on file type, extension, or content. This enables attackers to upload executable files such as PHP web shells to directories accessible from the web.
The exploitation flow is as follows:
- An attacker locates a WordPress site running a vulnerable version of the plugin (up to and including 1.5.3).
- The attacker crafts a malicious PHP file designed to provide remote command execution.
- Using the plugin's form, the attacker uploads the file. The plugin fails to block or sanitize the dangerous file type.
- The uploaded file is placed in a directory that can be accessed and executed via the web server.
- The attacker accesses the uploaded web shell, gaining control over the server.
This vulnerability is technically similar to other recent file upload flaws in WordPress form plugins, where lack of strict allowlisting and content inspection has led to widespread exploitation. No public code snippets are available for this specific vulnerability, but the exploitation pattern matches those documented in related advisories.
Affected Systems and Versions
- Product: Drag and Drop File Upload for Elementor Forms (WordPress plugin by add-ons.org)
- Affected versions: All versions from initial release through 1.5.3
- Any WordPress site with this plugin active and at least one file upload form exposed is vulnerable
Vendor Security History
add-ons.org is known for developing plugins that extend Elementor functionality. The Drag and Drop File Upload for Elementor Forms plugin has previously been affected by security issues, including arbitrary file deletion vulnerabilities in version 1.4.3. The vendor has released security fixes in the past (notably in version 1.5.0), but recurring critical issues highlight the need for more robust secure development practices and validation mechanisms.