CVE-2026-5718
published 2026-04-17CVE-2026-5718: The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including…
PriorityP182high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
4.17%
89.6th percentile
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.7. This is due to insufficient file type validation that occurs when custom blacklist types are configured, which replaces the default dangerous extension denylist instead of merging with it, and the wpcf7_antiscript_file_name() sanitization function being bypassed for filenames containing non-ASCII characters. This makes it possible for unauthenticated attackers to upload arbitrary files, such as PHP files, to the server, which can be leveraged to achieve remote code execution. The vulnerability was originally reported by Leonid Semenenko (lsemenenko) and partially patched in version 1.3.9.7. A bypass for the patch was separately discovered and reported by Nguyen Hung (Mitchell).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| glenwpcoder | drag_and_drop_multiple_file_upload_for_contact_form_7 | <= 1.3.9.7 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/admin-ajax.php
path/wp-content/uploads/wp_dndcf7_uploads/
commandaction=dnd_codedropz_upload
commandaction=_wpcf7_check_nonce
filename{{filename}}.php
- →Monitor POST requests to /wp-admin/admin-ajax.php with action=dnd_codedropz_upload and multipart/form-data containing a .php filename — this is the exploit upload request pattern for CVE-2026-5718.
- →Alert on successful upload responses containing both '"success":true' and '"file"' from the dnd_codedropz_upload action, indicating a file was accepted by the server.
- →Monitor for GET requests to /wp-content/uploads/wp_dndcf7_uploads/ for PHP files — this path is where uploaded files are stored and can be accessed for remote code execution.
- →The bypass leverages filenames containing non-ASCII characters to evade the wpcf7_antiscript_file_name() sanitization function — inspect upload filenames for non-ASCII characters paired with a .php extension. ↗
- →Unauthenticated exploitation is possible — no session cookie or authentication header is required in the exploit request chain. ↗
- ·The vulnerability is only exploitable when custom blacklist file types are configured in the plugin, because doing so replaces the default dangerous extension denylist entirely rather than merging with it — sites using the default configuration (no custom blacklist) may have a different risk profile. ↗
- ·Version 1.3.9.7 contains only a partial patch; a bypass was separately discovered, meaning systems running 1.3.9.7 remain vulnerable. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
glenwpcoder Drag and Drop Multiple File Upload for Contact Form 7 Plugin wpcf7_antiscript_file_name unrestricted upload
vuldb·2026-04-17·CVSS 8.1
CVE-2026-5718 [HIGH] glenwpcoder Drag and Drop Multiple File Upload for Contact Form 7 Plugin wpcf7_antiscript_file_name unrestricted upload
A vulnerability identified as critical has been detected in glenwpcoder Drag and Drop Multiple File Upload for Contact Form 7 Plugin up to 1.3.9.6 on WordPress. This issue affects the function wpcf7_antiscript_file_name. This manipulation causes unrestricted upload.
This vulnerability is tracked as CVE-2026-5718. The attack is possible to be carried out remotely. No exploit exists.
You should upgrade the affected component.
GHSA
GHSA-xj7v-jqv6-v48w: The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including
ghsa_unreviewed·2026-04-17
CVE-2026-5718 [HIGH] CWE-434 GHSA-xj7v-jqv6-v48w: The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.6. This is due to insufficient file type validation that occurs when custom blacklist types are configured, which replaces the default dangerous extension denylist instead of merging with it, and the wpcf7_antiscript_file_name() sanitization function being bypassed for filenames containing non-ASCII characters. This makes it possible for unauthenticated attackers to upload arbitrary files, such as PHP files, to the server, which can be leveraged to achieve remote code execution.
VulnCheck
codedropz drag_and_drop_multiple_file_upload_-_contact_form_7 Unrestricted Upload of File with Dangerous Type
vulncheck·2026·CVSS 8.1
CVE-2026-5718 [HIGH] codedropz drag_and_drop_multiple_file_upload_-_contact_form_7 Unrestricted Upload of File with Dangerous Type
codedropz drag_and_drop_multiple_file_upload_-_contact_form_7 Unrestricted Upload of File with Dangerous Type
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.6. This is due to insufficient file type validation that occurs when custom blacklist types are configured, which replaces the default dangerous extension denylist instead of merging with it, and the wpcf7_antiscript_file_name() sanitization function being bypassed for filenames containing non-ASCII characters. This makes it possible for unauthenticated attackers to upload arbitrary files, such as PHP files, to the server, which can be leveraged to achieve remote code execution.
Affected: codedropz drag_and_drop_multiple_fil
No detection rules found.
Nuclei
Drag and Drop Multiple File Upload - CF7 <= 1.3.9.6 - Remote Code Execution
nuclei·CVSS 8.1
CVE-2026-5718 [HIGH] Drag and Drop Multiple File Upload - CF7 <= 1.3.9.6 - Remote Code Execution
Drag and Drop Multiple File Upload - CF7 ]*value="|:)(\d+)'
internal: true
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=_wpcf7_check_nonce
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "\"data\"")'
internal: true
condition: and
extractors:
- type: regex
name: nonce
group: 1
part: body
regex:
- '"data":"([a-f0-9]+)"'
internal: true
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=---------------------------cf7dndboundary
-----------------------------cf7dndboundary
Content-Disposition: form-data; name="action"
dnd_codedropz_upload
-----------------------------cf7dndboundary
Content-Disposition: form-data; name="security"
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.6/inc/dnd-upload-cf7.php#L62https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.6/inc/dnd-upload-cf7.php#L883https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.6/inc/dnd-upload-cf7.php#L970https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.6/inc/dnd-upload-cf7.php#L987https://plugins.trac.wordpress.org/changeset/3508522/drag-and-drop-multiple-file-upload-contact-form-7https://plugins.trac.wordpress.org/changeset/3548901/https://www.wordfence.com/threat-intel/vulnerabilities/id/38f95d40-a6d4-429c-9872-9d2531e942eb?source=cve
2026-04-17
Published
Exploited in the wild