CVE-2026-5718

Name of the Vulnerable Software and Affected Versions Drag and Drop Multiple File Upload for Contact Form 7 versions prior to 1.3.9.7

Description Insufficient file type validation occurs when custom blacklist types are configured, as the system replaces the default dangerous extension denylist instead of merging with it. Additionally, the wpcf7 antiscript file name() function can be bypassed using filenames containing non-ASCII characters. This allows unauthenticated attackers to upload arbitrary files, such as PHP files, to the server, potentially leading to remote code execution.

Recommendations Update to a version later than 1.3.9.6.