Skip to main content

Drag and Drop Multiple File Upload - Contact Form 7 CVE-2026-49055

| EUVD-2026-36868 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-6wvr-3ch8-8c9p
File Upload XSS Drag And Drop Multiple File Upload Contact Form 7
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-delivered via form submission (AV:N/AC:L/PR:N), payload fires only when a user views it (UI:R), and execution in the admin's browser crosses a trust boundary into WordPress (S:C) with limited C/I/A.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:41 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Drag and Drop Multiple File Upload - Contact Form 7 <= 1.3.9.7 versions.

AnalysisAI

Unauthenticated reflected/stored cross-site scripting in the WordPress plugin Drag and Drop Multiple File Upload - Contact Form 7 versions 1.3.9.7 and earlier allows remote attackers to inject script that executes in a victim's browser after user interaction, leading to session theft, account takeover, or pivoting against authenticated administrators. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify WordPress site with vulnerable plugin
Delivery
Submit contact form with crafted XSS payload
Exploit
Payload stored or reflected in admin view
Install
Administrator opens submission page
C2
Script executes in admin browser
Execute
Steal session or create rogue admin
Impact
Achieve persistent site takeover
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the Drag and Drop Multiple File Upload - Contact Form 7 plugin at version 1.3.9.7 or earlier to be installed and active on a WordPress site with at least one Contact Form 7 form using the drag-and-drop upload field, plus a victim (typically a logged-in administrator or moderator) being induced to view the page that renders the unsanitized attacker input - the CVSS UI:R requirement. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L indicates a network-reachable, low-complexity flaw exploitable without authentication but requiring user interaction, with low impact across a changed scope - typical of XSS that pivots from the public site into the admin context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker submits a contact form on a target WordPress site, embedding a JavaScript payload in a field (such as a manipulated filename or form parameter) processed by the vulnerable plugin. When a site administrator later reviews the submission in the WordPress dashboard or when the rendered output is viewed by another user, the payload executes in that user's browser session, allowing cookie/session theft, CSRF-driven plugin installation, or creation of a rogue administrator account.
Remediation Upstream fix available per the Patchstack advisory; released patched version not independently confirmed from the provided data, so administrators should update the Drag and Drop Multiple File Upload - Contact Form 7 plugin to the latest available version greater than 1.3.9.7 from the WordPress plugin repository and verify the installed version after upgrade (advisory: https://patchstack.com/database/wordpress/plugin/drag-and-drop-multiple-file-upload-contact-form-7/vulnerability/wordpress-drag-and-drop-multiple-file-upload-contact-form-7-plugin-1-3-9-7-cross-site-scripting-xss-vulnerability). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations using this plugin and verify versions in use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49055 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy