Drag and Drop Multiple File Upload for Contact Form 7 Vulnerability…

Drag and Drop Multiple File Upload for Contact Form 7 Vulnerability…

by | Mar 5, 2026 | Plugins

Attack Vectors

# CVE-2026-3459 is a High-severity issue (CVSS 8.1) affecting the WordPress plugin Drag and Drop Multiple File Upload for Contact Form 7 (slug: drag-and-drop-multiple-file-upload-contact-form-7). The vulnerability can be exploited remotely over the internet by unauthenticated attackers—meaning no login is required.

The risk becomes practical when your site uses a Contact Form 7 form that includes a multiple file upload field configured with “*” as the accepted file type. In that scenario, an attacker may be able to upload arbitrary files to the server, which can be a stepping stone to broader compromise.

Reference: CVE-2026-3459

Security Weakness

# The underlying weakness is insufficient file type validation in the plugin’s dnd_upload_cf7_upload function. Wordfence reports this affects versions up to (and including) 1.3.7.3.

When file validation is too permissive, attackers can attempt to upload files the application did not intend to allow. In a web context, this type of flaw is especially serious because uploaded files may be stored on the server in a way that makes them reachable or executable, depending on the site’s configuration.

Technical or Business Impacts

# If exploited, this issue may allow attackers to place arbitrary files on your web server, and it may make remote code execution possible. For business leaders, that translates into risk of website takeover, data exposure, and disruption of revenue-generating digital channels.

Common business impacts include brand damage from defacement or malware warnings, loss of customer trust, downtime that reduces lead capture and online sales, and potential compliance exposure if personal data is accessed or systems are used to distribute malicious content. This can also trigger incident response costs, legal review, and increased scrutiny from partners or regulators depending on your industry.

Remediation: Update Drag and Drop Multiple File Upload for Contact Form 7 to 1.3.9.6 or a newer patched version. Source: Wordfence vulnerability record.

Similar Attacks

# Unrestricted or weakly validated file uploads have repeatedly led to real-world compromises in website and plugin ecosystems. Examples include:

CVE-2020-10564 (WP File Upload plugin)
CVE-2020-25213 (File Manager plugin)

Vantage Vulnerability (Medium) – CVE-2026-5070

by

Attack Vectors CVE-2026-5070 is a Medium severity vulnerability (CVSS 6.4) affecting the Vantage WordPress theme (slug: vantage) in versions up to and including 1.20.32. It enables authenticated users with Contributor access or higher to inject malicious script into a...

WP Docs Vulnerability (Medium) – CVE-2026-3878

by

Attack Vectors CVE-2026-3878 is a Medium severity Stored Cross-Site Scripting (XSS) vulnerability (CVSS 6.4) affecting the WP Docs WordPress plugin (wp-docs) in versions 2.2.9 and below. The issue is exploitable by an authenticated user with Subscriber-level access or...

Recent Comments

    WPFore Subscribers