We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

Drag and Drop Multiple File Upload for Contact Form 7 Plugin Vulnerability (CVE-2026-5718)

Nick Paliughi
On this page

Security Alert Summary

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress contains an arbitrary file upload vulnerability in versions up to and including 1.3.9.6. Insufficient file type validation when custom blacklist types are configured, combined with a bypass of the wpcf7_antiscript_file_name() sanitization for filenames containing non-ASCII characters, can allow unauthenticated attackers to upload arbitrary files, including PHP files, which may be leveraged to achieve remote code execution.

CVE Details

  • CVE ID: CVE-2026-5718
  • Affected component: Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress
  • Affected versions: Versions up to and including 1.3.9.6
  • Published: April 17, 2026, 6:16:32 PM UTC
  • Last modified: April 17, 2026, 6:16:32 PM UTC
  • CVSS v3.1: Base score 8.1, Severity: HIGH, Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Attack details from CVSS: Network attack vector; Attack Complexity: High; Privileges Required: None; User Interaction: None; Scope: Unchanged
  • Primary impact: Confidentiality: High; Integrity: High; Availability: High
  • Weakness: CWE-434 (Unrestricted Upload of File with Dangerous Type)

Technical Details

The vulnerability is caused by insufficient file type validation in the plugin when site administrators configure custom blacklist (denylist) types. Instead of merging custom blacklist entries with the plugin’s default denylist of dangerous extensions, the custom configuration replaces the default list, removing protections for certain file extensions. In addition, the plugin’s filename sanitization function, wpcf7_antiscript_file_name(), can be bypassed when filenames include non-ASCII characters. Together these issues allow unauthenticated attackers to upload arbitrary files, including server-executable files such as PHP scripts.

Because uploaded files may be stored on the server and executed by the web server, an attacker who successfully uploads a PHP file could leverage that upload to run arbitrary code on the site, leading to data exposure, content modification, or further unauthorized actions. The description and analysis restrict details to the named function and the file type validation behavior; no additional endpoints or internal checks are described in the provided data.

How This Could Impact Your Website

Consider a typical WordPress setup with a site owner, internal staff who manage content, and an external contractor who provides files via a contact form. If the site uses the affected plugin and remains unpatched, an unauthenticated attacker could submit specially crafted uploads through a contact form to place executable files on the server. Practical consequences include:

  • Potential execution of uploaded code leading to data access or modification that affects content integrity and availability.
  • Exposure of sensitive files or backups if the attacker is able to access uploaded or adjacent directories, increasing the risk of targeted phishing or social engineering against internal staff.
  • Service disruption from defacement, malware, or removal of site content.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributors and other upload-capable roles.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins that increase your attack surface.
  • Monitor site activity and server logs for unusual file uploads, unexpected PHP files, or other signs of compromise.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
Pz-LinkCard Plugin Vulnerability (CVE-2026-2434)
Next Post
Flipbox Addon for Elementor Plugin Vulnerability (CVE-2026-6048)