CVE-2026-5718

HIGH EXPLOITED NUCLEI LAB

Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Arbitrary File Upload via Non-ASCII Filename Blacklist Bypass

Title source: cna
STIX 2.1

Exploitation Summary

CVE-2026-5718 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including xxconi, rootdirective-sec, kyukazamiqq. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains no exploit code or technical details, only a link to an external payment site (satoshidisk.com). This is a social engineering lure attempting to monetize a fake exploit.

Description

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.7. This is due to insufficient file type validation that occurs when custom blacklist types are configured, which replaces the default dangerous extension denylist instead of merging with it, and the wpcf7_antiscript_file_name() sanitization function being bypassed for filenames containing non-ASCII characters. This makes it possible for unauthenticated attackers to upload arbitrary files, such as PHP files, to the server, which can be leveraged to achieve remote code execution. The vulnerability was originally reported by Leonid Semenenko (lsemenenko) and partially patched in version 1.3.9.7. A bypass for the patch was separately discovered and reported by Nguyen Hung (Mitchell).

Exploits (4)

github SUSPICIOUS
by xxconi · poc
https://github.com/xxconi/CVE-2026-5718-PR-V-EXPLO-T

The repository contains no exploit code or technical details, only a link to an external payment site (satoshidisk.com). This is a social engineering lure attempting to monetize a fake exploit.

Classification
Suspicious 95%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: WordPress (unspecified version)
No auth needed
Prerequisites: none
devstral-2 · analyzed Jun 10, 2026 Full analysis →
nomisec WORKING POC
by xxconi · poc
https://github.com/xxconi/CVE-2026-5718

This repository contains a functional exploit for CVE-2026-5718, targeting an unauthenticated arbitrary file upload vulnerability in the Drag and Drop Multiple File Upload for Contact Form 7 plugin. The exploit chains two logic flaws: nonce exposure and blacklist replacement, leading to RCE via non-ASCII filename bypass.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6
No auth needed
Prerequisites: CF7 form with [mfile] field and custom blacklist configuration
devstral-2 · analyzed May 26, 2026 Full analysis →
nomisec WORKING POC
by rootdirective-sec · remote
https://github.com/rootdirective-sec/cve-2026-5718-Lab

This repository contains a functional exploit PoC for CVE-2026-5718, an arbitrary file upload vulnerability in the WordPress plugin 'Drag and Drop Multiple File Upload for Contact Form 7' version 1.3.9.6. The PoC demonstrates a local Docker lab environment with vulnerable and patched versions, showcasing the bypass of blacklist validation using non-ASCII filenames to achieve RCE.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6
No auth needed
Prerequisites: Docker · Python 3 · WordPress with vulnerable plugin version
devstral-2 · analyzed May 12, 2026 Full analysis →
nomisec WORKING POC
by kyukazamiqq · remote
https://github.com/kyukazamiqq/cve-2026-5718

This repository contains functional exploit code for CVE-2026-5718, targeting a vulnerability in the 'Drag and Drop Multiple File Upload for Contact Form 7' WordPress plugin. The exploit includes tools for discovering vulnerable forms and executing mass exploitation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Drag and Drop Multiple File Upload for Contact Form 7 (≤ 1.3.9.6)
No auth needed
Prerequisites: WordPress site with vulnerable plugin installed · Contact Form 7 form IDs
devstral-2 · analyzed May 09, 2026 Full analysis →

Nuclei Templates (1)

Drag and Drop Multiple File Upload - CF7 <= 1.3.9.6 - Remote Code Execution
CRITICALVERIFIEDby zer0p0int

References (7)

Core 7
Core References

Scores

CVSS v3 8.1
EPSS 0.0403
EPSS Percentile 89.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull wordpress:6.8.1-php8.2-apache
+1 more repos

Details

VulnCheck KEV 2026-04-20
CWE
CWE-434
Status published
Products (2)
glenwpcoder/Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.9.6
glenwpcoder/Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.9.7
Published Apr 17, 2026
Tracked Since Apr 17, 2026