The Drag and Drop Multiple File Upload for Contact Form 7 plugin allows an administrator or higher level user to insert arbitrary text into the drag_n_drop_text and drag_n_drop_browse_text settings. Because the input is not properly sanitized or escaped, the inserted content is stored and later rendered on pages that use the plugin. When a user visits a page containing the injected settings, a browser will execute the malicious script, enabling an attacker to steal session cookies, hijack accounts, deface content, or redirect to phishing sites. The vulnerability does not provide arbitrary code execution on the server, but it allows client‑side script injection that can compromise user confidentiality and the integrity of web pages.

WordPress sites using the glenwpcoder Drag and Drop Multiple File Upload for Contact Form 7 plugin in any version up to and including 1.3.9.7 are affected. Administrators with access to the plugin settings are required to inject malicious text, so the threat requires authenticated elevated access within the WordPress installation.

The CVSS score of 4.4 reflects moderate risk. EPSS is not available, but given the need for administrator access the likelihood of exploitation is low in environments with strong role separation. The vulnerability is not listed in the CISA KEV catalog, indicating no publicly known active exploitation. Attackers would need to compromise a user with administrative privileges, modify the plugin settings to inject scripts, and then rely on unsuspecting visitors to trigger the stored XSS when they load affected pages.