Description
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.7. This is due to insufficient file type validation that occurs when custom blacklist types are configured, which replaces the default dangerous extension denylist instead of merging with it, and the wpcf7_antiscript_file_name() sanitization function being bypassed for filenames containing non-ASCII characters. This makes it possible for unauthenticated attackers to upload arbitrary files, such as PHP files, to the server, which can be leveraged to achieve remote code execution. The vulnerability was originally reported by Leonid Semenenko (lsemenenko) and partially patched in version 1.3.9.7. A bypass for the patch was separately discovered and reported by Nguyen Hung (Mitchell).
Published: 2026-04-17
Score: 8.1 High
EPSS: 4.0% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress permits file uploads through its drag‑and‑drop interface. The vulnerability stems from insufficient file type validation when users configure custom blacklist types; the plugin replaces the default dangerous extension denylist instead of merging with it. Additionally, the filename sanitization function wpcf7_antiscript_file_name() can be bypassed for filenames containing non‑ASCII characters. An unauthenticated attacker can exploit these weaknesses to upload arbitrary files – including PHP scripts – to the server, which can then be executed to gain remote code execution. The flaw was first reported by Leonid Semenenko and a partial patch was released in version 1.3.9.7, but a workaround for that patch was later discovered by Nguyen Hung, allowing continued exploitation in affected releases.

Affected Systems

Any WordPress installation using the Drag and Drop Multiple File Upload for Contact Form 7 plugin, version 1.3.9.6 or earlier. The plugin is distributed by glenwpcoder. No specific WordPress core or other plugin versions are required to be at any particular setting for the flaw to be exploitable.

Risk and Exploitability

The recorded CVSS score is 8.1, indicating high severity. The EPSS score is 4%, and the vulnerability is not listed in CISA’s KEV catalog. An unauthenticated attacker can trigger the flaw simply by submitting a file upload request with a non‑ASCII filename that passes the overridden blacklist. Because the upload reaches the server without authentication and the uploaded file can be placed in an executable directory, the exploitation path is straightforward and does not require additional privileges.

Generated by OpenCVE AI on May 27, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to a version newer than 1.3.9.6 that includes proper file type validation and corrects the blacklist handling.
  • Reconfigure the plugin (or the WordPress site) to restrict uploads to a safe list of file extensions and to reject non‑ASCII filenames.
  • Move the upload directory outside the document root or place an .htaccess rule to disable execution of uploaded files, such as adding "php_flag engine off" or "<Files *.php> deny from all </Files>".

Generated by OpenCVE AI on May 27, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.6. This is due to insufficient file type validation that occurs when custom blacklist types are configured, which replaces the default dangerous extension denylist instead of merging with it, and the wpcf7_antiscript_file_name() sanitization function being bypassed for filenames containing non-ASCII characters. This makes it possible for unauthenticated attackers to upload arbitrary files, such as PHP files, to the server, which can be leveraged to achieve remote code execution. The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.7. This is due to insufficient file type validation that occurs when custom blacklist types are configured, which replaces the default dangerous extension denylist instead of merging with it, and the wpcf7_antiscript_file_name() sanitization function being bypassed for filenames containing non-ASCII characters. This makes it possible for unauthenticated attackers to upload arbitrary files, such as PHP files, to the server, which can be leveraged to achieve remote code execution. The vulnerability was originally reported by Leonid Semenenko (lsemenenko) and partially patched in version 1.3.9.7. A bypass for the patch was separately discovered and reported by Nguyen Hung (Mitchell).
Title Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Arbitrary File Upload via Non-ASCII Filename Blacklist Bypass Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.7 - Unauthenticated Arbitrary File Upload via Non-ASCII Filename Blacklist Bypass
References

Fri, 17 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Glenwpcoder
Glenwpcoder drag And Drop Multiple File Upload For Contact Form 7
Wordpress
Wordpress wordpress
Vendors & Products Glenwpcoder
Glenwpcoder drag And Drop Multiple File Upload For Contact Form 7
Wordpress
Wordpress wordpress

Fri, 17 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.6. This is due to insufficient file type validation that occurs when custom blacklist types are configured, which replaces the default dangerous extension denylist instead of merging with it, and the wpcf7_antiscript_file_name() sanitization function being bypassed for filenames containing non-ASCII characters. This makes it possible for unauthenticated attackers to upload arbitrary files, such as PHP files, to the server, which can be leveraged to achieve remote code execution.
Title Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Arbitrary File Upload via Non-ASCII Filename Blacklist Bypass
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Glenwpcoder Drag And Drop Multiple File Upload For Contact Form 7
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T00:26:11.453Z

Reserved: 2026-04-06T18:35:21.089Z

Link: CVE-2026-5718

cve-icon Vulnrichment

Updated: 2026-04-17T18:34:43.063Z

cve-icon NVD

Status : Deferred

Published: 2026-04-17T18:16:32.753

Modified: 2026-06-17T10:59:33.150

Link: CVE-2026-5718

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T14:45:35Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type