CVE-2026-5364 - Vulnerability Analysis

Overview

Drag and Drop File Upload for Contact Form 7 WordPress plugin <= 1.1.3 contains an unrestricted file upload vulnerability caused by improper sanitization of file extensions, letting unauthenticated attackers upload arbitrary PHP files, exploit requires no authentication.

Severity & Score

Impact

Unauthenticated attackers can upload arbitrary PHP files, potentially leading to remote code execution despite some mitigations.

Mitigation

Update to the latest version of the plugin.

References

• https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/backend/index.php#L147
• https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/backend/index.php#L158
• https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/frontend/index.php#L15
• https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/backend/index.php#L147
• https://www.wordfence.com/threat-intel/vulnerabilities/id/0548608d-17d5-46f4-9d64-6e3b0552bf9d?source=cve
• https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/tags/1.1.2/backend/index.php#L181
• https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/backend/index.php#L158
• https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/backend/index.php#L181
• https://plugins.trac.wordpress.org/browser/drag-and-drop-file-upload-for-contact-form-7/trunk/frontend/index.php#L15
• https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3498020%40drag-and-drop-file-upload-for-contact-form-7&new=3498020%40drag-and-drop-file-upload-for-contact-form-7&sfp_email=&sfph_mail=

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner