We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2026-3459)

Nick Paliughi
On this page

Security Alert Summary

The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress contains insufficient file type validation in a file upload handler. When a form includes a multiple file upload field accepting the wildcard type (*), unauthenticated attackers may be able to upload arbitrary files to the server, which could potentially allow remote code execution under some conditions.

CVE Details

  • CVE ID: CVE-2026-3459
  • Affected component: Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress
  • Affected versions: Versions up to and including 1.3.7.3 (as stated in the CVE entry)
  • Published: March 5, 2026 at 7:16:19 PM UTC
  • Last modified: March 5, 2026 at 7:38:33 PM UTC
  • CVSS v3.1: Base Score 8.1, Severity: HIGH, Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Authentication / privileges / user interaction: No authentication required (PR:N); no user interaction required (UI:N); attack complexity is high (AC:H); attack vector: network (AV:N).
  • Primary impact: Confidentiality: High; Integrity: High; Availability: High
  • CWE / weakness: CWE-434 (Unrestricted Upload of File with Dangerous Type)

Technical Details

The vulnerability is caused by insufficient file type validation in the plugin’s upload handler. The CVE description identifies the function responsible as dnd_upload_cf7_upload, and states that the flaw affects versions up to and including 1.3.7.3. Specifically, when a Contact Form 7 form includes a multiple file upload field with the accepted file type set to the wildcard *, the plugin may allow arbitrary files to be uploaded to the server because the expected file type checks are insufficient or bypassed.

The practical effect is that an unauthenticated attacker can submit files via the affected form field. The CVE notes this may make remote code execution possible if uploaded files can be executed in the site environment; the entry does not specify exploit details or confirmed remote code execution in the wild.

How This Could Impact Your Website

Consider a typical small business site where the site owner maintains forms used by staff and external contributors. An attacker could locate a publicly accessible contact form that uses the vulnerable plugin and submit crafted files through a multiple-file upload field configured with the wildcard type. If an attacker can upload executable content and the server executes it, this could lead to unauthorized code execution, data exposure, or disruption of services.

Potential real-world consequences include exposure of uploaded files containing private information, modification of site content or configuration, and disruption of normal operations. Sites that allow many external contributors or contractors to submit files via forms are at greater risk because more form endpoints increase the chance of a vulnerable configuration being accessible.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available. (The CVE entry specifies affected versions up to 1.3.7.3; a fixed version is not specified in the CVE data.)
  • Review and reduce unnecessary user roles, especially contributors and any roles that can upload files.
  • Enforce strong passwords and enable two-factor authentication for editor and administrator accounts.
  • Remove unused or unmaintained plugins and restrict file upload functionality to trusted users and endpoints.
  • Monitor site activity and uploads for unusual behavior, and review web server and application logs for unexpected file types or upload patterns.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: WooCommerce WordPress Plugin Vulnerability (CVE-2026-3589)
Next Post
WordPress Security Bulletin: Greenshift – animation and page builder blocks plugin for WordPress (CVE-2026-2593)