Description
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.6. This is due to insufficient file type validation that occurs when custom blacklist types are configured, which replaces the default dangerous extension denylist instead of merging with it, and the wpcf7_antiscript_file_name() sanitization function being bypassed for filenames containing non-ASCII characters. This makes it possible for unauthenticated attackers to upload arbitrary files, such as PHP files, to the server, which can be leveraged to achieve remote code execution.
Published: 2026-04-17
Score: 8.1 High
EPSS: 3.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerable plugin enables users to upload files through a drag‑and‑drop interface. Insufficient validation occurs when custom blacklist types replace the default dangerous extension denylist, and the filename sanitization function is bypassed for non‑ASCII filenames. An attacker can upload an arbitrary file, such as a PHP script, to the server. If the file is executable, the attacker can achieve remote code execution on the host. This weakness is identified as CWE‑434.

Affected Systems

Any WordPress installation using the Drag and Drop Multiple File Upload for Contact Form 7 plugin, version 1.3.9.6 or earlier. The plugin is distributed by glenwpcoder. No specific WordPress core or other plugin versions are required to be at any particular setting for the flaw to be exploitable.

Risk and Exploitability

The recorded CVSS score is 8.1, indicating high severity. The EPSS score is 3%, and the vulnerability is not listed in CISA’s KEV catalog. An unauthenticated attacker can trigger the flaw simply by submitting a file upload request with a non‑ASCII filename that passes the overridden blacklist. Because the upload reaches the server without authentication and the uploaded file can be placed in an executable directory, the exploitation path is straightforward and does not require additional privileges.

Generated by OpenCVE AI on May 16, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to a version newer than 1.3.9.6 that includes proper file type validation and corrects the blacklist handling.
  • Reconfigure the plugin (or the WordPress site) to restrict uploads to a safe list of file extensions and to reject non‑ASCII filenames.
  • Move the upload directory outside the document root or place an .htaccess rule to disable execution of uploaded files, such as adding "php_flag engine off" or "<Files *.php> deny from all </Files>".

Generated by OpenCVE AI on May 16, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Glenwpcoder
Glenwpcoder drag And Drop Multiple File Upload For Contact Form 7
Wordpress
Wordpress wordpress
Vendors & Products Glenwpcoder
Glenwpcoder drag And Drop Multiple File Upload For Contact Form 7
Wordpress
Wordpress wordpress

Fri, 17 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.6. This is due to insufficient file type validation that occurs when custom blacklist types are configured, which replaces the default dangerous extension denylist instead of merging with it, and the wpcf7_antiscript_file_name() sanitization function being bypassed for filenames containing non-ASCII characters. This makes it possible for unauthenticated attackers to upload arbitrary files, such as PHP files, to the server, which can be leveraged to achieve remote code execution.
Title Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Arbitrary File Upload via Non-ASCII Filename Blacklist Bypass
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Glenwpcoder Drag And Drop Multiple File Upload For Contact Form 7
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-17T18:34:48.917Z

Reserved: 2026-04-06T18:35:21.089Z

Link: CVE-2026-5718

cve-icon Vulnrichment

Updated: 2026-04-17T18:34:43.063Z

cve-icon NVD

Status : Deferred

Published: 2026-04-17T18:16:32.753

Modified: 2026-04-22T20:22:50.570

Link: CVE-2026-5718

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T14:45:25Z

Weaknesses