Description
The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if the form includes a multiple file upload field with ‘*’ as the accepted file type.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated arbitrary file upload that can lead to remote code execution
Action: Immediate Patch
AI Analysis

Impact

The Drag and Drop Multiple File Upload plugin for Contact Form 7 contains insufficient file type validation in a core upload function. Unauthenticated users can supply any file type, causing the server to store the file without restrictions. This allows attackers to upload potentially executable content, creating a path for remote code execution if the uploaded file can later be accessed and executed by the web server. The vulnerability is classified under CWE‑434, highlighting missing validation of file type and extension.

Affected Systems

Vendors: glenwpcoder. Product: Drag and Drop Multiple File Upload for Contact Form 7. Affected versions include all releases up to and including 1.3.7.3. WordPress sites running any of these versions are susceptible.

Risk and Exploitability

The CVSS base score of 8.1 denotes a high severity, and the EPSS score of less than 1% indicates a low likelihood of exploitation at the time of this analysis. Although the vulnerability is not present in the CISA KEV catalog, its potential for remote code execution warrants attention. Exploitation requires an attacker to submit a form with a multiple file upload field that accepts a wildcard file type; no authentication or elevated permissions are needed. Once the malicious file is stored on the server, an attacker may execute it if the web server permits execution of the uploaded content.

Generated by OpenCVE AI on April 15, 2026 at 19:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Drag and Drop Multiple File Upload plugin to the latest version that removes the unvalidated upload path (or uninstall the plugin entirely if no safe update is available).
  • If upgrading is not immediately possible, limit accepted file types on the upload fields to a strict whitelist such as .jpg, .png, and .pdf, and ensure the plugin’s configuration does not allow wildcard entries.
  • Disable the multiple file upload feature or remove the form field from publicly accessible pages until a secure version is deployed.

Generated by OpenCVE AI on April 15, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Glenwpcoder
Glenwpcoder drag And Drop Multiple File Upload For Contact Form 7
Wordpress
Wordpress wordpress
Vendors & Products Glenwpcoder
Glenwpcoder drag And Drop Multiple File Upload For Contact Form 7
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if the form includes a multiple file upload field with ‘*’ as the accepted file type.
Title Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.5 - Unauthenticated Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Glenwpcoder Drag And Drop Multiple File Upload For Contact Form 7
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:45:14.638Z

Reserved: 2026-03-02T19:52:41.688Z

Link: CVE-2026-3459

cve-icon Vulnrichment

Updated: 2026-03-06T18:15:26.117Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T19:16:19.087

Modified: 2026-03-05T19:38:33.877

Link: CVE-2026-3459

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:00:06Z

Weaknesses