EUVD-2026-23459
GHSA-xj7v-jqv6-v48w
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.6. This is due to insufficient file type validation that occurs when custom blacklist types are configured, which replaces the default dangerous extension denylist instead of merging with it, and the wpcf7_antiscript_file_name() sanitization function being bypassed for filenames containing non-ASCII characters. This makes it possible for unauthenticated attackers to upload arbitrary files, such as PHP files, to the server, which can be leveraged to achieve remote code execution.
AnalysisAI
Remote code execution in Drag and Drop Multiple File Upload for Contact Form 7 plugin (WordPress) versions ≤1.3.9.6 allows unauthenticated attackers to upload PHP webshells via dual file validation weaknesses. The plugin's custom blacklist configuration overwrites default protections instead of merging, and non-ASCII filenames bypass the wpcf7_antiscript_file_name() sanitizer. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Disable or remove the Drag and Drop Multiple File Upload for Contact Form 7 plugin from all WordPress instances running versions ≤1.3.9.6; verify no unauthorized files were uploaded via file integrity checks. Within 7 days: Update to plugin version >1.3.9.6 if available, or implement a permanent alternative file upload solution; audit web server logs (past 90 days minimum) for suspicious upload activity and PHP execution in upload directories. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today