CVE-2026-5710

Name of the Vulnerable Software and Affected Versions Drag and Drop Multiple File Upload for Contact Form 7 versions prior to 1.3.9.7

Description An issue exists where unauthenticated attackers can read and exfiltrate arbitrary files readable by the web server process. This occurs because the plugin uses client-supplied mfile[] POST values for email attachment selection without server-side upload provenance checks, path canonicalization, or directory containment boundary enforcement. Specifically, in the dnd wpcf7 posted data() function, user-submitted filenames are appended to the upload URL without sanitization. Subsequently, in the dnd cf7 mail components() function, the URL is converted to a filesystem path using str replace(), and only file exists() is used for verification before attaching the file to an email. This allows for path traversal sequences in the mfile[] parameter to disclose files as email attachments, although this is limited to the 'wp-content' folder due to the wpcf7 is file path in content dir() function in the Contact Form 7 plugin.

Recommendations Update the plugin to a version later than 1.3.9.6. As a temporary workaround, restrict the use of the mfile[] parameter in the affected plugin functions until the update is applied.