PT-2026-23495 · WordPress · Drag/Drop Multiple File Upload – Contact Form 7

Thomas Sanzey

·

Publicado

2026-03-05

·

Atualizado

2026-03-08

·

CVE-2026-3459

CVSS v3.1

8.1

Alta

VetorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress versions through 1.3.7.3
Description The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress has a flaw that allows for arbitrary file uploads. This is due to inadequate file type validation within the dnd upload cf7 upload function. An unauthenticated attacker could potentially upload arbitrary files to the server, which could lead to remote code execution. This is exploitable when a form includes a multiple file upload field and allows all file types ('*').
Recommendations Update Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress to a version later than 1.3.7.3.

Correção

RCE

Unrestricted File Upload

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-434

Identificadores relacionados

CVE-2026-3459

Produtos afetados

Drag/Drop Multiple File Upload – Contact Form 7