CVE-2026-3459

HIGH

Drag and Drop Multiple File Upload - Contact Form 7 <=1.3.7.3 - RCE

Title source: llm

Description

The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if the form includes a multiple file upload field with ‘*’ as the accepted file type.

References (4)

[Product] https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.5/inc/dnd-upload-cf7.php#L1146

[Product] https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.5/inc/dnd-upload-cf7.php#L886

[Product] https://plugins.trac.wordpress.org/changeset/3475121/drag-and-drop-multiple-file-upload-contact-form-7

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/3205670c-5c3c-48c3-a34a-6f9c25668258?source=cve

Scores

CVSS v3 8.1

EPSS 0.0018

EPSS Percentile 38.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

glenwpcoder/Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.9.5

Published Mar 05, 2026

Tracked Since Mar 06, 2026