CVE-2026-5718 - Drag and Drop Multiple File Upload for Contact Form 7 - Unrestricted File Upload

Overview

Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin <= 1.3.9.6 contains an unrestricted file upload caused by insufficient file type validation and bypass of filename sanitization with non-ASCII characters, letting unauthenticated attackers upload arbitrary files and achieve remote code execution.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can upload arbitrary files, potentially leading to remote code execution and full server compromise.

Mitigation

Update to the latest version beyond 1.3.9.6.

References

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Apr 17, 2026

🟠 CVE-2026-5718 - High (8.1) The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.6. This is due to insufficient file type validation that occurs when custom blacklist typ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-5718/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

Apr 17, 2026

🟠 CVE-2026-5718 - High (8.1) The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.6. This is due to insufficient file type validation that occurs when custom blacklist typ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-5718/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

CVE-2026-5718 - Vulnerability Analysis

Overview

Severity & Score

Impact

Mitigation

References

Social Media Activity(2 posts)

Related Resources

Details

CWE

CVSS Metrics

EPSS Score