cbcvebase.
CVE-2026-5718
published 2026-04-17

CVE-2026-5718: The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including…

PriorityP182high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
4.17%
89.6th percentile
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.7. This is due to insufficient file type validation that occurs when custom blacklist types are configured, which replaces the default dangerous extension denylist instead of merging with it, and the wpcf7_antiscript_file_name() sanitization function being bypassed for filenames containing non-ASCII characters. This makes it possible for unauthenticated attackers to upload arbitrary files, such as PHP files, to the server, which can be leveraged to achieve remote code execution. The vulnerability was originally reported by Leonid Semenenko (lsemenenko) and partially patched in version 1.3.9.7. A bypass for the patch was separately discovered and reported by Nguyen Hung (Mitchell).

Affected

1 ranges
VendorProductVersion rangeFixed in
glenwpcoderdrag_and_drop_multiple_file_upload_for_contact_form_7<= 1.3.9.7

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
path/wp-content/uploads/wp_dndcf7_uploads/
commandaction=dnd_codedropz_upload
commandaction=_wpcf7_check_nonce
filename{{filename}}.php
  • Monitor POST requests to /wp-admin/admin-ajax.php with action=dnd_codedropz_upload and multipart/form-data containing a .php filename — this is the exploit upload request pattern for CVE-2026-5718.
  • Alert on successful upload responses containing both '"success":true' and '"file"' from the dnd_codedropz_upload action, indicating a file was accepted by the server.
  • Monitor for GET requests to /wp-content/uploads/wp_dndcf7_uploads/ for PHP files — this path is where uploaded files are stored and can be accessed for remote code execution.
  • The bypass leverages filenames containing non-ASCII characters to evade the wpcf7_antiscript_file_name() sanitization function — inspect upload filenames for non-ASCII characters paired with a .php extension.
  • Unauthenticated exploitation is possible — no session cookie or authentication header is required in the exploit request chain.
  • ·The vulnerability is only exploitable when custom blacklist file types are configured in the plugin, because doing so replaces the default dangerous extension denylist entirely rather than merging with it — sites using the default configuration (no custom blacklist) may have a different risk profile.
  • ·Version 1.3.9.7 contains only a partial patch; a bypass was separately discovered, meaning systems running 1.3.9.7 remain vulnerable.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.