WordPress Plugin Flaw Exposes Sites to RCE
The Drag and Drop File Upload for Contact Form 7 plugin for WordPress, in versions up to and including 1.1.3, contains a critical arbitrary file upload vulnerability, according to the National Vulnerability Database (NVD). This flaw, tracked as CVE-2026-5364 with a CVSS score of 8.1 (HIGH), stems from a logic error in file extension handling.
The NVD explains that the plugin extracts the file extension before sanitization. Attackers can manipulate the file type parameter, bypassing administrator-configured restrictions. Crucially, validation occurs on the unsanitized extension, but the file is saved with a sanitized one. This allows special characters, like a dollar sign ($), to be stripped during the save process, effectively changing the file type after validation. Unauthenticated attackers can exploit this to upload arbitrary PHP files, leading to potential remote code execution.
While an .htaccess file and name randomization are in place, limiting real-world exploitability, the core vulnerability remains severe. Defenders running this plugin must recognize that these mitigations are not a guarantee against skilled attackers. The risk of unauthenticated RCE is real, demanding immediate attention to patch or mitigate.
What This Means For You
- If your organization uses the Drag and Drop File Upload for Contact Form 7 plugin on WordPress, you are at risk of unauthenticated remote code execution. Immediately verify your plugin version and update to a patched version beyond 1.1.3. Audit your web server logs for any suspicious file uploads or unexpected PHP file creations.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-5364 - WordPress Drag and Drop File Upload Arbitrary File Upload
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-5364 | RCE | Drag and Drop File Upload for Contact Form 7 plugin for WordPress |
| CVE-2026-5364 | Arbitrary File Upload | Drag and Drop File Upload for Contact Form 7 plugin for WordPress versions <= 1.1.3 |
| CVE-2026-5364 | Arbitrary File Upload | Vulnerable to file extension extraction before sanitization, allowing attacker-controlled file type parameter and special character stripping during save process. |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 24, 2026 at 09:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
Delta Electronics AS320T Plagued by Critical DoS Vulnerability
CVE-2026-1952 — Delta Electronics AS320T has denial of service via the undocumented subfunction vulnerability.
Critical Buffer Overflow in Delta Electronics AS320T PLC
CVE-2026-1951 — Delta Electronics AS320T has no checking of the length of the buffer with the directory name vulnerability.
Critical Buffer Overflow Hits Delta Electronics AS320T
CVE-2026-1950 — Delta Electronics AS320T has No checking of the length of the buffer with the file name vulnerability.