CVE-2026-3459
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if the form includes a multiple file upload field with ‘*’ as the accepted file type.
Analysis
Unauthenticated attackers can upload arbitrary files to WordPress sites running the Drag and Drop Multiple File Upload - Contact Form 7 plugin through versions 1.3.7.3 due to insufficient file type validation when wildcard characters are configured in upload fields. Successful exploitation could enable remote code execution on the affected server. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all WordPress installations using this plugin and document current versions; disable the multiple file upload feature in affected forms as a temporary measure. Within 7 days: Contact the plugin vendor for patch status and timeline; implement Web Application Firewall (WAF) rules to block suspicious file uploads; review recent upload logs for suspicious activity. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today