CVE-2026-3459 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: March 5, 2026
Drag and Drop Multiple File Upload - Contact Form 7 - Unrestricted File Upload
Overview
Drag and Drop Multiple File Upload - Contact Form 7 WordPress plugin <= 1.3.7.3 contains an unrestricted file upload vulnerability caused by insufficient file type validation in 'dnd_upload_cf7_upload' function, letting unauthenticated attackers upload arbitrary files, exploit requires a form with multiple file upload field accepting '*' file type.
Severity & Score
Impact
Unauthenticated attackers can upload arbitrary files, potentially leading to remote code execution and full server compromise.
Mitigation
Update to the latest version of the plugin.
References
- https://plugins.trac.wordpress.org/changeset/3475121/drag-and-drop-multiple-file-upload-contact-form-7
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3205670c-5c3c-48c3-a34a-6f9c25668258?source=cve
- https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.5/inc/dnd-upload-cf7.php#L1146
- https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.5/inc/dnd-upload-cf7.php#L886
Social Media Activity(1 post)
š CVE-2026-3459 - High (8.1) The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This m... š https://www.thehackerwire.com/vulnerability/CVE-2026-3459/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-3459
- Severity
- High
- CVSS Score
- 8.1
- Type
- unrestricted_file_upload
- Status
- unconfirmed
- EPSS
- 12.2%
- Social Posts
- 1
CWE
- CWE-434
CVSS Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H