CVE-2026-5364

Name of the Vulnerable Software and Affected Versions Drag and Drop File Upload for Contact Form 7 versions prior to 1.1.4

Description An arbitrary file upload flaw exists because the plugin extracts the file extension before sanitization and allows the file type parameter to be controlled by an attacker instead of restricting it to administrator-configured values. Validation is performed on the unsanitized extension, but the file is saved using a sanitized extension, allowing special characters such as $ to be stripped during the save process. This enables unauthenticated attackers to upload arbitrary PHP files, potentially leading to remote code execution. Real-world exploitability is restricted by name randomization and the presence of an .htaccess file.

Recommendations Update to a version later than 1.1.3.