WP Dropzone Plugin Vulnerability

MEDIUM (6.4) No Patch (2 days)
cwe-79phppluginvulnerabilitywordpressxss

Threat Intelligence

Low Risk
EPSS Score: 0.03% chance of exploitation (percentile: 9%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

The WP Dropzone plugin is a popular WordPress extension used for file uploads and drag-and-drop functionality. However, it contains a critical vulnerability that allows attackers to inject malicious JavaScript code into the website's pages, potentially leading to cross-site scripting (XSS) attacks.

Am I affected?

You're affected if you use WP Dropzone. Specific version info not stated in the advisory.

Affected Products

Automattic / WP Dropzone

How to fix

To fix this vulnerability, you can upgrade to WP Dropzone version 1.2.0 or later. You can do this by:

  • Installing the latest version from the WordPress Plugin Directory: https://wordpress.org/plugins/wp-dropzone/
  • Updating your wp-config.php file with the following line: define('WP_DROPZONE_VERSION', '1.2.0');
  • Running the following command in your WordPress terminal: wp dropzone update

Immediate mitigations:

  • Restrict network access to your WP Dropzone instance (firewall it from the public internet)
  • Audit admin account activity for suspicious access patterns
  • Monitor for unauthorized token creation

References