Drag and Drop Multiple File Upload < 1.3.6.5 - File Upload Size Limit Bypass
Description
The Drag and Drop Multiple File Upload plugin before 1.3.6.5 allows attackers to bypass the file size limit by controlling the size parameter from user input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Drag and Drop Multiple File Upload plugin before 1.3.6.5 allows attackers to bypass the file size limit by controlling the size parameter from user input.
Vulnerability
The Drag and Drop Multiple File Upload WordPress plugin before version 1.3.6.5 fails to properly validate the file upload size limit server-side. Instead, it trusts the value provided in user-submitted form data, allowing attackers to override the administrator-configured limit [1].
Exploitation
An attacker can submit a form with a crafted size parameter to set a larger limit, then upload a file that exceeds the intended maximum size. This requires no authentication if the form is publicly accessible, and the attack can be carried out by any user interacting with the form [1].
Impact
Successful exploitation enables unrestricted file upload size, potentially leading to storage exhaustion, denial of service, or other impacts depending on server configuration. The attacker can upload files far larger than intended by the site administrator [1].
Mitigation
Update to version 1.3.6.5 or later, released on September 26, 2022 [1]. No other workarounds are documented; upgrading is the only recommended fix.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.