What is the CVSS score of CVE-2026-5718?

CVE-2026-5718 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by CVE-2026-5718?

The Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin (versions ≤1.3.9.6) contains a remote code execution vulnerability that permits unauthenticated attackers to upload…

Is there a public PoC exploit available for CVE-2026-5718?

Yes, a public proof-of-concept exploit is available for CVE-2026-5718. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-5718?

Within 24 hours: Disable or remove the Drag and Drop Multiple File Upload for Contact Form 7 plugin from all WordPress instances running versions ≤1.3.9.6; verify no unauthorized files were uploaded via file integrity checks. Within 7 days: Update to plugin version >1.3.9.6 if available, or implement a permanent alternative file upload solution; audit web server logs (past 90 days minimum) for suspicious upload activity and PHP execution in upload directories. Within 30 days: Conduct full WordPress security assessment; implement web application firewall rules to restrict PHP execution in upload directories; establish file upload monitoring and vulnerability scanning procedures.

PHP CVE-2026-5718

EUVD-2026-23459 HIGH

Unrestricted Upload of File with Dangerous Type (CWE-434)

2026-04-17 Wordfence

GHSA-xj7v-jqv6-v48w

PHP File Upload WordPress RCE

8.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.1 HIGH

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 22, 2026 - 20:37 vuln.today

cvss_changed

Analysis Generated

Apr 17, 2026 - 18:44 vuln.today

EUVD ID Assigned

Apr 17, 2026 - 18:15 euvd

EUVD-2026-23459

Analysis Generated

Apr 17, 2026 - 18:15 vuln.today

CVE Published

Apr 17, 2026 - 17:25 nvd

HIGH 8.1

DescriptionCVE.org

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.6. This is due to insufficient file type validation that occurs when custom blacklist types are configured, which replaces the default dangerous extension denylist instead of merging with it, and the wpcf7_antiscript_file_name() sanitization function being bypassed for filenames containing non-ASCII characters. This makes it possible for unauthenticated attackers to upload arbitrary files, such as PHP files, to the server, which can be leveraged to achieve remote code execution.

AnalysisAI

Remote code execution in Drag and Drop Multiple File Upload for Contact Form 7 plugin (WordPress) versions ≤1.3.9.6 allows unauthenticated attackers to upload PHP webshells via dual file validation weaknesses. The plugin's custom blacklist configuration overwrites default protections instead of merging, and non-ASCII filenames bypass the wpcf7_antiscript_file_name() sanitizer. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Enumerate WordPress plugins via wp-json API

Delivery

Identify Contact Form 7 upload fields

Exploit

Craft non-ASCII filename (e.g., shell.phÞ)

Install

Upload PHP webshell via contact form

Access uploaded file directly at /wp-content/uploads/

Execute

Execute commands as web server user

Impact

Establish persistence and C2

Recon

Enumerate WordPress plugins via wp-json API

Delivery

Identify Contact Form 7 upload fields

Exploit

Craft non-ASCII filename (e.g., shell.phÞ)

Install

Upload PHP webshell via contact form

Access uploaded file directly at /wp-content/uploads/

Execute

Execute commands as web server user

Impact

Establish persistence and C2

Vulnerability AssessmentAI

Exploitation	Requires site administrator to have configured custom file type blacklist restrictions in the Drag and Drop Multiple File Upload for Contact Form 7 plugin settings - this is NOT the default configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 8.1 score reflects High confidentiality, integrity, and availability impact with High attack complexity and no required privileges or user interaction (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated attacker identifies a WordPress site running the vulnerable plugin with custom file type restrictions configured (detectable via Contact Form 7 form behavior or WordPress REST API enumeration). The attacker crafts a malicious filename using non-ASCII characters such as 'backdoor.phÞ' or Unicode homoglyphs that resemble legitimate extensions but bypass wpcf7_antiscript_file_name() sanitization. …
Remediation	Upgrade immediately to version 1.3.9.7 or later, which addresses both the blacklist merging logic and non-ASCII filename sanitization issues per WordPress plugin repository changeset 3508522 (https://plugins.trac.wordpress.org/changeset/3508522/drag-and-drop-multiple-file-upload-contact-form-7). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable or remove the Drag and Drop Multiple File Upload for Contact Form 7 plugin from all WordPress instances running versions ≤1.3.9.6; verify no unauthorized files were uploaded via file integrity checks. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2026-5718 vulnerability details – vuln.today

Back

PHP CVE-2026-5718

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code