Description
The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and allowing the file type parameter to be controlled by the attacker rather than being restricted to administrator-configured values, which when combined with the fact that validation occurs on the unsanitized extension while the file is saved with a sanitized extension, allows special characters like '$' to be stripped during the save process. This makes it possible for unauthenticated attackers to upload arbitrary PHP files and potentially achieve remote code execution, however, an .htaccess file and name randomization is in place which restricts real-world exploitability.
Published: 2026-04-24
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The flaw allows an unauthenticated attacker to upload arbitrary PHP files by manipulating the file type parameter before the extension is sanitized. The plugin validates the unsanitized extension while saving the file with a sanitized filename; special characters such as a dollar sign are stripped during the save process, enabling the upload of executable PHP code. Successful exploitation can lead to remote code execution, although the plugin includes an .htaccess rule and randomly generated filenames that diminish real‑world attack effectiveness.

Affected Systems

WordPress sites that use the Drag and Drop File Upload for Contact Form 7 plugin version 1.1.3 or earlier. The plugin is provided by addonsorg and commonly integrated with the Contact Form 7 ecosystem, affecting any standard WordPress installation that has the plugin installed.

Risk and Exploitability

The CVSS score of 8.1 highlights the high severity, while the EPSS score of less than 1% indicates a very low probability of widespread exploitation; the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the lack of authentication requirements and the public upload endpoint mean that any exposed WordPress site could be used by an attacker to try to upload malicious PHP files, potentially achieving remote code execution if the server permits PHP execution in the upload directory. The .htaccess restrictions and filename randomization mitigate but do not eliminate this threat.

Generated by OpenCVE AI on April 28, 2026 at 06:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Drag and Drop File Upload for Contact Form 7 plugin to the latest version that removes the filename sanitization flaw.
  • Configure the plugin to accept only the file types explicitly allowed by the site administrators, ensuring server‑side validation against the MIME type and file extension.
  • Restrict file upload capabilities to users with administrative privileges or other elevated roles, disabling uploads for unauthenticated or low‑privilege accounts.
  • Add or enforce an .htaccess or equivalent web server rule in the upload directory to disallow execution of PHP or other scripts, preventing uploaded PHP files from running even if they are saved.

Generated by OpenCVE AI on April 28, 2026 at 06:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Addonsorg
Addonsorg drag And Drop File Upload For Contact Form 7
Wordpress
Wordpress wordpress
Vendors & Products Addonsorg
Addonsorg drag And Drop File Upload For Contact Form 7
Wordpress
Wordpress wordpress

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 06:00:00 +0000

Type Values Removed Values Added
Description The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and allowing the file type parameter to be controlled by the attacker rather than being restricted to administrator-configured values, which when combined with the fact that validation occurs on the unsanitized extension while the file is saved with a sanitized extension, allows special characters like '$' to be stripped during the save process. This makes it possible for unauthenticated attackers to upload arbitrary PHP files and potentially achieve remote code execution, however, an .htaccess file and name randomization is in place which restricts real-world exploitability.
Title Drag and Drop File Upload for Contact Form 7 <= 1.1.3 - Unauthenticated Arbitrary File Upload via sanitize_file_name Bypass
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Addonsorg Drag And Drop File Upload For Contact Form 7
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-24T18:30:14.939Z

Reserved: 2026-04-01T17:45:09.888Z

Link: CVE-2026-5364

cve-icon Vulnrichment

Updated: 2026-04-24T18:30:02.355Z

cve-icon NVD

Status : Deferred

Published: 2026-04-24T06:16:08.480

Modified: 2026-04-24T14:38:26.740

Link: CVE-2026-5364

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:18:09Z

Weaknesses