CVE-2026-3459 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: March 5, 2026
Drag and Drop Multiple File Upload - Contact Form 7 - Unrestricted File Upload
Published: March 5, 2026Updated: March 5, 2026Remote Exploitable
Overview
Drag and Drop Multiple File Upload - Contact Form 7 WordPress plugin <= 1.3.7.3 contains an unrestricted file upload vulnerability caused by insufficient file type validation in 'dnd_upload_cf7_upload' function, letting unauthenticated attackers upload arbitrary files, exploit requires a form with multiple file upload field accepting '*' file type.
Severity & Score
Severity: High
CVSS Score: 8.1
Impact
Unauthenticated attackers can upload arbitrary files, potentially leading to remote code execution and full server compromise.
Mitigation
Update to the latest version of the plugin.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3205670c-5c3c-48c3-a34a-6f9c25668258?source=cve
- https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.5/inc/dnd-upload-cf7.php#L1146
- https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.5/inc/dnd-upload-cf7.php#L886
- https://plugins.trac.wordpress.org/changeset/3475121/drag-and-drop-multiple-file-upload-contact-form-7
Related Resources
Details
- CVE ID
- CVE-2026-3459
- Severity
- High
- CVSS Score
- 8.1
- Type
- unrestricted_file_upload
- Status
- unconfirmed
CWE
- CWE-434
CVSS Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H