PT-2026-23495 · WordPress · Drag/Drop Multiple File Upload – Contact Form 7
Thomas Sanzey
·
Published
2026-03-05
·
Updated
2026-03-08
·
CVE-2026-3459
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress versions through 1.3.7.3
Description
The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress has a flaw that allows for arbitrary file uploads. This is due to inadequate file type validation within the
dnd upload cf7 upload function. An unauthenticated attacker could potentially upload arbitrary files to the server, which could lead to remote code execution. This is exploitable when a form includes a multiple file upload field and allows all file types ('*').Recommendations
Update Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress to a version later than 1.3.7.3.
Fix
RCE
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Drag/Drop Multiple File Upload – Contact Form 7