๐Ÿ” CVE Alert

CVE-2026-3459

HIGH 8.1

Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.5 - Unauthenticated Arbitrary File Upload

CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th

The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if the form includes a multiple file upload field with โ€˜*โ€™ as the accepted file type.

CWE CWE-434
Vendor glenwpcoder
Product drag and drop multiple file upload for contact form 7
Published Mar 5, 2026
Last Updated Apr 8, 2026
Stay Ahead of the Next One

Get instant alerts for glenwpcoder drag and drop multiple file upload for contact form 7

Be the first to know when new high vulnerabilities affecting glenwpcoder drag and drop multiple file upload for contact form 7 are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

glenwpcoder / Drag and Drop Multiple File Upload for Contact Form 7
0 โ‰ค 1.3.9.5

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/3205670c-5c3c-48c3-a34a-6f9c25668258?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.5/inc/dnd-upload-cf7.php#L886 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.5/inc/dnd-upload-cf7.php#L1146 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3475121/drag-and-drop-multiple-file-upload-contact-form-7

Credits

Thomas Sanzey