Drag and Drop File Upload for Contact Form 7 CVE-2026-5364

| EUVD-2026-25399 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-04-24 Wordfence GHSA-8q7x-g4f6-63gp
PHP WordPress File Upload RCE
8.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Re-analysis Queued
Apr 24, 2026 - 14:52 vuln.today
cvss_changed
Analysis Generated
Apr 24, 2026 - 06:30 vuln.today

DescriptionNVD

The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and allowing the file type parameter to be controlled by the attacker rather than being restricted to administrator-configured values, which when combined with the fact that validation occurs on the unsanitized extension while the file is saved with a sanitized extension, allows special characters like '$' to be stripped during the save process. This makes it possible for unauthenticated attackers to upload arbitrary PHP files and potentially achieve remote code execution, however, an .htaccess file and name randomization is in place which restricts real-world exploitability.

AnalysisAI

Remote code execution in Drag and Drop File Upload for Contact Form 7 plugin (≤1.1.3) allows unauthenticated attackers to upload arbitrary PHP files via a sanitization bypass vulnerability. The flaw exploits a race condition where file extension validation occurs on unsanitized input while the file saves with a sanitized extension, enabling special characters like '$' to be stripped mid-process. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all WordPress instances running Contact Form 7 with Drag and Drop File Upload plugin version ≤1.1.3 and disable the plugin immediately. Within 7 days: Upgrade to Contact Form 7 version 5.8+ and verify Drag and Drop File Upload plugin is at the latest available version; review server logs and uploaded files for suspicious PHP files. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-3844 CRITICAL
9.8 Apr 23

Arbitrary file upload in Breeze Cache for WordPress allows unauthenticated remote attackers to upload malicious files an
CVE-2026-4106 MEDIUM POC
5.3 Apr 23

The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some P
CVE-2026-5306 MEDIUM POC
5.4 Apr 28

Stored XSS vulnerability in Check & Log Email WordPress plugin before version 2.0.13 allows authenticated users with low
CVE-2026-7106 HIGH
8.8 Apr 27

Authenticated attackers with Subscriber-level privileges can escalate to Administrator role in Highland Software Custom

CVE-2026-6741 HIGH
8.8 Apr 27

The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Esca

Share

CVE-2026-5364 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy