We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

Drag and Drop Multiple File Upload for Contact Form 7 Plugin Vulnerability (CVE-2026-5710)

Nick Paliughi
On this page

Security Alert Summary

The Drag and Drop Multiple File Upload for Contact Form 7 plugin contains a path traversal vulnerability that can allow unauthenticated attackers to read files within the wp-content directory by supplying crafted mfile[] POST values. Files can be disclosed as email attachments when the plugin sends Contact Form 7 messages.

CVE Details

  • CVE ID: CVE-2026-5710
  • Affected component: The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress
  • Affected versions: Versions up to and including 1.3.9.6
  • Published: April 17, 2026 6:16:32 PM UTC
  • Last modified: April 17, 2026 6:16:32 PM UTC
  • CVSS v3.1: Base Score 7.5, Severity HIGH, Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Authentication / Privileges / User interaction: None required (Network attack, no privileges and no user interaction)
  • Primary impact: Confidentiality: High; Integrity: None; Availability: None
  • CWE: CWE-22 (Path Traversal)

Technical Details

The vulnerability arises because the plugin uses client-supplied mfile[] POST values as the source of truth for selecting email attachments without performing server-side upload provenance checks, path canonicalization, or directory containment enforcement. In dnd_wpcf7_posted_data(), each user-submitted filename is appended directly to the plugin’s upload URL without sanitization. In dnd_cf7_mail_components() the URL is converted back to a filesystem path using str_replace(), and file_exists() is used as the only acceptance check before attaching the file to outgoing Contact Form 7 email.

Because path canonicalization and strict directory boundary checks are not enforced by the plugin, an attacker can include path traversal sequences in the mfile[] parameter to reference other files that are readable by the web server process. The report notes this disclosure is limited to files under the wp-content folder due to Contact Form 7’s wpcf7_is_file_path_in_content_dir() function.

How This Could Impact Your Website

On a site where a public contact form allows uploads, multiple actors may interact with submitted messages: the site owner, internal staff who process form responses, and external contractors or contributors who may receive or handle emails. An unauthenticated attacker could submit crafted mfile[] values that cause the plugin to attach readable files from the wp-content directory to outgoing form emails. Those attachments could include configuration snippets, backup files, or other content stored under wp-content that is readable by the web server process.

Exposure of internal email addresses or file contents increases the risk of targeted phishing or social engineering against staff and external collaborators. The reported data indicates the primary effect is confidentiality loss; there is no reported integrity or availability impact.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributor-level accounts.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins.
  • Monitor site activity and outgoing emails for unusual behavior or unexpected attachments.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
Contextual Related Posts Plugin Vulnerability (CVE-2026-2986)
Next Post
CMP – Coming Soon & Maintenance Plugin Vulnerability (CVE-2026-6518)